UK Banking Law Blames Customers For Insecure OS

twitter writes "If you use an insecure OS in the UK and someone drains your bank account, the banks say it's your fault. The Register reports: 'The Banking Code produced by the British Bankers' Association (BBA), and followed by most banks, makes it clear that banks will not be responsible for losses on online bank accounts if consumers do not have up to date anti-virus, anti-spyware, and firewall software installed on their machines.'" twitter went on to note that the majority of consumer PCs use an operating system with a history of security issues. Should end users be ultimately responsible for the state of their systems?

Oh no you didn't!

[symbolset]

This should be fun.

Re:Oh no you didn't!

[jschimpf]

So give every customer a Live CD of a really locked down Linux and a special purpose browser pointed to the bank.

Re:Oh no you didn't!

[Gareth+Williams]

And if an exploitable bug should be found in the browser, what then? Send out new CDs to all your customers and hope nobody continues to use the old one?

Building your system around read only media has always been a bad idea. You can't patch it when something goes wrong - and something always goes wrong.

Re:Oh no you didn't!

[tubapro12]

Isn't this the bank simply saying "we're too lame and lazy to write a secure website and teach our users how to safely surf the Internet"?

Re:Oh no you didn't!

[funfail]

If you configure the browser to connect to the bank's site but nowhere else, who can exploit the vulnerability in the browser?

But it is still a bad idea. While I am working, I want to do some banking stuff several times a day. If every time I need to restart my notebook it would suck. I might start using a VMware instance but not every bank customer is able to.

Re:Oh no you didn't!

[tacocat]

That's rather near-sited of you.

How do you bridge the gap between commerce and on-line banking when you have limited access to the internet? By limited I also mean compatibility with the commerce site designs and URL's that you've excluded by this approach.

Might sound good, but it's not practicaly. Neither is banning on-line banking, but that's going to be effective too.

Re:Oh no you didn't!

VMWare won't protect your from keyloggers though.

Re:Oh no you didn't!

[repvik]

Then an attacker could try to use a combined attack, using a flaw in the browser combined with DNS poisoning.

Re:Oh no you didn't!

[brunascle]

if the URL was HTTPS and the browser was configured to reject any certificate not fully authenticated, DNS poisoning couldnt do anything except denial of service.

Re:Oh no you didn't!

[repvik]

Yes, but we're talking a combined attack here. If someone found a flaw in the browser allowing bypassing the certificate check, you're pwned.

Re:Oh no you didn't!

[PigleT]

No. If anything, it's exactly the opposite. It's not the banks' job to "support" end-users any more than it was to "support" their browsers. Remember the hideous errors with online banking when you pointed NS4 or earlier versions of Firefox at them, with rejection messages based on user-agent? That stems from a failure to understand that the bank provides a service over HTTP that people should point whatever browser they like at. If websites were designed with that in mind, the web would have been a whole lot better.

I don't even understand why there's a question like "Should end users be ultimately responsible for the state of their systems?". Of *course* it's every user's individual responsibility to look after their machine. Why else did they buy it?

I'm not sure what extra firewall and anti-virus software I need for debian/testing with security updates updated daily, mind. ;)

Re:Oh no you didn't!

[eheldreth]

Not that I think it's the greatest idea but a simple solution would be to build a monthly (insert better time frame if you wish) time out that would prevent the cd from booting. Then you could send your customers a fresh and patched CD once every time out period. Or perhaps build in a check that would prevent older CD's from accessing the internet. You could run a script on start up that would get the latest version number from the banks website and disable networking and display a message if the CD wasn't up to date. Neither are perfect but they would keep the average customer from connecting with outdated software.

Re:Oh no you didn't!

[Corwn+of+Amber]

A flaw in the browser, then DNS poisoning? People are so paranoid...

Most losses are due to paypall.com and ebay.spof.uk. What people need is not "up-to-date useless software that only serve to slow the computer down more than Windows does, they need BRAINS.

Or be forcibly moved to using Hackintoshes, that the bank understands that it's the customers fault if thy get scammed - by not checking the address bar. And believing anything they receive by e-mail.

Re:Oh no you didn't!

[repvik]

A network admin that isn't paranoid is no good admin ;)
The point isn't that is has to be that combination of attacks. The point here being that there might be ways to circumvent the "security" of providing a read-only media for users to use. Once an exploitable flaw has been found, the media is useless for everyone and poses a security risk. Suddenly noone can use the online bank until they have pressed new CDs with a security fix. Way to go ;)

Re:Oh no you didn't!

[Corwn+of+Amber]

Even the LiveCD is a solution to a non-existing problem. It won't fix the huge majority of phishing scams, like "enter your account details on paypall.com" or "money transfers now go through bankofamerika.cjb.net".

The bank would better tell their customers "If you're using Windows for using with our online banking, then it's your fault when (not if) you get scammed."

Re:Oh no you didn't!

[CommanderIsm]

hear hear

Scare tactics

[plover]

Let's see, just exactly WHO should be responsible for the banks' security? Some random customer who is using them, or a staff of professionals whose entire industry is founded on the protection of money belonging to random customers? Seriously, if the banks were to pull that stunt on me, I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards.

But I think there's an ulterior motive here. As a part of Chip-and-PIN, the UK is testing a brilliant two-factor authentication system this year for cards that will cryptographically render browser, PC, and merchant security moot. It's possible this is being used as a "warning shot" to frighten consumers into picking up the tab for the high cost (approximately $70) of the handheld security module.

They have the technology to keep it safe now. I think they're just too cheap to fund it themselves. (And I really wish we'd start seeing that kind of security technology available here in America. I'd switch banks and pay the $70 myself in a heartbeat.)

Re:Scare tactics

[aedan]

Do you mean the things which look like pocket calculators and your card slides into the top? We have a couple of them already but the bank hasn't asked us to use them yet. They didn't charge for them.

Re:Scare tactics

[CRCulver]

Seriously, if the banks were to pull that stunt on me, I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards.

At least in Finland (and I imagine probably the other Nordic countries as well), you can use cash for a decreasing amount of payments. Nearly everyone who demands money of you wants you to pay by bank transfer, and if you don't use your free online banking and decide you want to hand cash to a teller, there's a 3 euro fee for the service. Nearly everyone who wants to pay you money will only deposit it directly into your bank account, there are no more cheques. I'm sure this will spread to other EU countries.

Re:Scare tactics

[Wapiti-eater]

"About damned time!", I say.

Banks are held accountable for THEIR systems.

Users should be accountable for THEIR systems as well.

Now, if the bank sold, loaned or leased to me a data terminal for accessing THEIR systems - sure, they'd be accountable for it. But since I'm using MY system, that I configured, operate and maintain - how on earth can the BANK be accountable for that?

For years now, geekly types have been crying about the vulnerability in the "popular products". Since that product held an effective monopoly on the market, consumers happily drank the only 'koo-aid' available.

Now that these same individuals that have been enjoying 'oblivious immunity' will have to pony up for the failures in their personally owned tools - they'll demand, and get, improvements.

It's only good for everyone.

Re:Scare tactics

[Kristoph]

The issue at hand is not the bank's security. It is the security of the consumers account.

In any case, do you really want the bank to be responsible for the security of your system? Because, honestly, I REALLY DO NOT want the banks 'staff of professionals' ensuring my security by requiring I install some type of custom 'security' software.

]{

Re:Scare tactics

[Idiomatick]

Uh you are held responsible if you give your bank card and password to someone too. It is impossible i repeat IMPOSSIBLE for them to secure your computer from people reading your keystrokes. How ARENT you responsible for it?
 
  On the other hand i think banks should offer recovery services. But they should charge for them. AND the money should not be handed out to you. That would be like if i took money out of the bank and fucking lost it. Its not the banks fault in even the slightest.

Re:Scare tactics

[nurb432]

Depends on where the leak was.

Was it on the user's pc? Then i guess its their fault technically. If its in the banks system, then the bank is on the hook.

Problem is that people really don't/can't understand the systems they are using as they are far too complex and to expect/demand them to keep them 'safe' is ludicrous. ( even "IT pros" cant always do it with the constant barrage of attacks on what is are fundamentally flawed systems )

However, the same logic goes for a car. Its far to complex for most people, but if their brakes go out or a wheel falls off and they cause a crash, its their fault.

Re:Scare tactics

[ergo98]

I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards

Banks are responsible for their own systems, and that is the full-time focus of those professionals. It is irrational, in my opinion, to expect them to take full culpability for the entire universe of client systems as well. Unless you're willing to accept a dictum that you must you BankOS running on BankHardware over the BankNet if you ever plan on accessing your money.

They have the technology to keep it safe now. I think they're just too cheap to fund it themselves.

When you make demands on business, in the end the person who ends up paying is you, not "them". Personally I'd rather not subsidize people who can't take even rudimentary responsibility over their own risk factors, though I would like to see a great use of two-factor authentication and the like, as you rightly heralded.

Re:Scare tactics

Actually the terminals are a pain in the ass.

If I don't have it with me, I can't even log into my bank account. Every so often it stops working, and for a day or two I am completely unable to access my money.

What galls me is that the terminals are inconveniencing me to solve the banks' problem - not mine. I'm already offered cast-iron a guarantee by the bank that if anyone hacks my bank account, the bank will cover it. Therefore this terminal covers their losses, not mine. These safeguards were introduced to encourage people to use online banking (which lowers banks' running costs, btw).

I'm leaving the bank (Barclays) that forces me to use this crap, and going to a decent bank that remembers that being able to access your money is as important as minimizing the banks' losses.

Re:Scare tactics

[plover]

Yes, those are the devices.

What they do is move all the encryption to a "trusted platform" -- the device itself. You enter your card and your PIN into the handheld, and it's their own crypto hardware using their own crypto algorithm to generate a one-time-use PIN for you to enter into the merchant's PIN pad or into a web site.

This turns your card into a pure identification token, and turns your PIN into a secure authentication token. Without both tokens, the bank refuses to part with your money. You can enter this into a sleazy internet cafe's browser. It doesn't matter if that transaction's data is stolen or not, because the bank won't authorize your one-time PIN for a second transaction.

What makes these a great solution is not just their security, but that they're backward compatible with current PIN pad technology. The retailers just send your PIN along, they don't care if it's your personal PIN or a generated PIN. The bank takes care of that.

There's an even more secure variant that ABN-AMRO has deployed for web banking transactions. You enter the amount of the transaction into the handheld along with your PIN. That way, only the amount you authorize will be transferred, and the PIN is useless for any other amount.

(I'm basing my guess of $70 on the price of similar hardware offered by RSA with their SecurID scheme, but it's just a guess.)

Re:Scare tactics

[Naughty+Bob]

"About damned time!", I say.

Banks are held accountable for THEIR systems.

If a bank only lets you connect via one OS/browser combo, you are effectively co-opted into the software ecosystem as designed by the bank- it's all their system.

I don't use my bank's internet-based facilities, because they don't support my (more secure) choice of software- bizarre...

Re:Scare tactics

[buravirgil]

I suppose your argument lies in the term "access" as when you sign on to the bank's servers, you have "entered" a bank and to what party a responsibility of security is assigned is the literal argument you so damn with time.

This very question has already been addressed by the Securities and Exchange Commission...
http://www.nytimes.com/2008/02/15/business/15norris.html?_r=1&oref=slogin
with a decision with which, I might infer from this quickly modded post, you profanely contend.

I would pose the question as to the greatest likelihood of fraud that might go undetected. A bank blaming an individual, of which there would be potentially hundreds of thousands to consider or an individual blaming a bank, fewer in number, properly regulated and inspected.

Moreover, given the advantage Gate's OS has maintained for decades and its nearly endemic nature of viral infection...pretty much anybody logging onto a bank's servers has a virus on it and all a bank need do is task the police to recover a computer, find a virus and claim the bank is not at fault.

So, the question becomes a chain of evidence and which route is of less resistance.

Re:Scare tactics

[Lobster+Quadrille]

Seconded. The banks need to be responsible for their own systems (I havent' been hugely impressed by that either), but they have NO responsibility to ensure that your access point is secure.

Re:Scare tactics

What worries me is that by the banks putting the onus on the end user they do not have to make their interfaces secure. Currently most banks only ask for certain parts of a password and ask to input using drop down boxes and buttons that require mouse clicks. This is pretty good step towards foiling the key loggers. Without the pressure on the banks will they continue to put resource into this sort of stuff. It won't be their fault any more.

Re:Scare tactics

[MyForest]

How ironic. I just switched from Barclays because they implemented this scheme. Note that Barclays give you everything you need for free.

You need a user id, password, your card and the PINSentry device to access the site. That's sort of OK when you're at home. It's not great when you leave your card in the reader and don't realize until the next day when you're in the shop. It's not great when you travel and you have a few different accounts setup. Although Mr G overcame that he wouldn't have his card to make payments with!

It's spectacularly bad when you have a Python script screen-scraping their site twice a day and you're running the transactions through your local "suspicious transactions" algorithm. I record the bulk of my future transactions, so it's easy for me to spot erroneous ones - heck, I even have a secure RSS feed for the transactions from my five accounts. There's no way to give my bank this payment information (yet) so their heuristics are running without the data that would really help them. I had a heart-to-heart with my Premier Account Manager at Barclays about this and his hands were tied - they just aren't advanced at all. If they want to keep the data in their closed world then they need to give me the tools in that world to manage my money (and yes, OpenPlan is a step in that direction - great if you only use Barclays I guess).

Re:Scare tactics

[plover]

Fortunately for us here in America, someone long ago was smart enough to include the words "THIS NOTE IS LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE" on our currency, and I understand it's actually against the law (sorry, no citation) to refuse to accept cash for the full amount.

Of course, that's been tempered with the anti-money-laundering laws requiring identification for cash transactions exceeding $10 000. But still, if you owe $10, then the debtor must accept a $10 bill as payment in full.

Re:Scare tactics

It's a bank's burden to properly authenticate you. If they fail at it, it's their fault.

Re:Scare tactics

[plover]

It's not software at all. It's external hardware that the banks distribute. You enter your PIN into the trusted device, it sends that into your smart card for encryption, and it outputs a one-time-PIN for you to use for one transaction.

It doesn't matter where you use that PIN -- it's just a set of digits. You can enter it into the PIN pad at the grocery store, into a web site to transfer money, or into a PIN pad at Tony Soprano's bar, and nobody can do anything with it.

Now, if you use it to send money to an eBayer and he keeps the money but doesn't send you your stuff, well, that has nothing to do with trusting the banks and everything to do with trusting some random schmuck on the internet.

Re:Scare tactics

Whilst most banks insist that the only browser able to access their websites is INTERNET EXPLORER
then surely the banks should own some level of the responsibility

I'd gladly junk this bloatware for another browser... except 2 of my bank / credit card sites wont honour anything other than IE.

IE (and windows) are highly exploitable, and no amount of anti-virus, anti-spyware, firewall can protect 100% against any threat.

In a way this is just belt tightening by the banks (owing to the current credit crunch, and lack of lending between banks that has ensued as part of the Mortgage fiasco in the USA). If they make end users liable, they dont loose money.

Even the new two-factor cards that are due out wont stop all issues as they still rely on IE

You can bet the average on-line shop wont have facilities to use the new twofactor stuff. Thus you are still exposed.

Re:Scare tactics

[dissy]

Fortunately for us here in America, someone long ago was smart enough to include the words "THIS NOTE IS LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE" on our currency, and I understand it's actually against the law (sorry, no citation) to refuse to accept cash for the full amount. http://www.treas.gov/education/faq/currency/legal-tender.shtml

Q) I thought that United States currency was legal tender for all debts. Some businesses or governmental agencies say that they will only accept checks, money orders or credit cards as payment, and others will only accept currency notes in denominations of $20 or smaller. Isn't this illegal?

A) The pertinent portion of law that applies to your question is the Coinage Act of 1965, specifically Section 31 U.S.C. 5103, entitled "Legal tender," which states: "United States coins and currency (including Federal reserve notes and circulating notes of Federal reserve banks and national banks) are legal tender for all debts, public charges, taxes, and dues."
This statute means that all United States money as identified above are a valid and legal offer of payment for debts when tendered to a creditor. There is, however, no Federal statute mandating that a private business, a person or an organization must accept currency or coins as for payment for goods and/or services. Private businesses are free to develop their own policies on whether or not to accept cash unless there is a State law which says otherwise. For example, a bus line may prohibit payment of fares in pennies or dollar bills. In addition, movie theaters, convenience stores and gas stations may refuse to accept large denomination currency (usually notes above $20) as a matter of policy.

Re:Scare tactics

[SJS]

If a bank only lets you connect via one OS/browser combo, you are effectively co-opted into the software ecosystem as designed by the bank- it's all their system.

I agree. I disallow any client-side code to run in my browser, and that makes it difficult or impossible to use many financial websites (not because allowing it would be more secure, but because the developers of the website go out of their way to make it that way).

Responsibility needs to go hand-in-hand with the power to make a decision; if a bank requires particular combinations of software, or disallows my preferred security policies, then it's their decision, and should be their responsibility. If the bank merely recommends software, but doesn't seek to subvert my security policy, then yes, faults in my security policy are my own damn fault.

Re:Scare tactics

[v1]

I'd mod you up but you're at +5 already so I'll just add my 2c to your comments. "About damned time!" Got that straight.

A coworker got his xbox-live account phished several weeks ago. Although he's having a really hard time getting his account recovered properly, he's fully accepted responsibility for what he did. I showed him an example phishing email I got and how it takes you to chase visa and you look in the url and it's some random IP in russia. He had no idea to pay attention to that, but now he does.

And he 100% accepts responsibility for his actions. And that's how it should be. But there's not enough of that going around right now, too many people wanting to blame their own lack of education on the world. If you don't understand a system to the point that you are not able to use it responsibly, you shouldn't be using it.

That's why we have drivers licenses. I've seen the idea jokingly suggested from time to time that you should require a permit to get on the internet. And it's things like this that make me seriously wonder if they have something there. But then it's someone taking the responsibility away from you and accepting the burden themselves. They can be held accountable for giving you a permit if you don't know what you're doing. So you see, these types don't want to accept the responsibility for making sure they are educated, and they don't want to accept the responsibility for what happens to them as a result.

Can't have it both ways.

You either have to submit to someone else making sure you are competent, or you have to be willing to accept responsibility for the outcome of your incompetence.

Re:Scare tactics

[turgid]

They've changed that now. We have chip and PIN.

Re:Scare tactics

[mortonda]

You misunderstand what that term means in a legal sense.

Re:Scare tactics

[The_Wilschon]

There is a subtlety here that you may have missed. Cash is legal tender for all debts. So, if you have already incurred a debt, then your creditor must accept cash as payment. However, most transactions do not involve you incurring a debt. For instance, when you pay to get on the bus, you have not yet incurred a debt, whereas if you eat a meal in a restaurant, then by the time you get the check, you do owe a debt. So, the bus driver may refuse cash; the restaurateur may not.

Interestingly, according to wikipedia, the "legal tender" phrase was added because the government couldn't pay its debts with gold or silver, and nobody wanted paper money instead. The phrase was added to compel them to accept the paper money.

Re:Scare tactics

[TheRaven64]

And what happens if your bank is Egg (now owned by Citi Group) and tell you every time you log in that you should try the Egg Money Manager, which is only available as an ActiveX control? It's frustrating to keep telling users 'disable ActiveX' and have banks tell them to enable it (and use IE), and if they do then I think they ought to accept at least partial responsibility for the user's poor security.

Re:Scare tactics

[Yetihehe]

Why don't you switch banks? My bank's internet website works fine on almost all browsers (i wanted to try with links, but it doesn't support ssl, I think it would work tho). I have also one-time passwords sent to cellphone (more useful than paper one-time pads).

Re:Scare tactics

[xaxa]

In the UK, that only applies for a debt, i.e. if you already owe someone the money then they have to accept legal tender (essentially coins and banknotes, but with some exceptions: a creditor doesn't have to accept more than £2 of £0.01 or £0.02 coins in a transaction, for instance, but they have to accept £1, £2 or £5 coins in any amount).

Because there's no debt, a shop is not breaking any law by putting up a notice saying "we don't accept £50 notes", and neither is someone who will only accept credit cards for purchasing stuff.

I wouldn't want large amounts of cash for most purposes. I pay for transport automatically (the cost comes out of my bank by debit card), for food at college by card (loading up a pre-payment card), everywhere accepts cards, and I'd rather not carry more cash than I need. Cheques are annoying, I have to walk into the bank, though they're still quite common. There isn't the EUR3 fee for depositing cash at a bank yet.

Re:Scare tactics

[TheRaven64]

It is impossible i repeat IMPOSSIBLE for them to secure your computer from people reading your keystrokes. They can't prevent you from installing a malicious keylogger, but they can mitigate it. To log in to my bank's site, I put my card in a reader they provided, hit 'authenticate' and enter my pin. It then gives me an 8 digit number which I enter. This is a hash of my pin (something I know), some data on my card (something I have) and, I believe, some monotonic counter (not sure if it's time based, or if it just generates them in a sequence and they only let you go a few ahead to account for failures). If I want to transfer money to someone I haven't paid before (and said I want them to allow me to pay again) then I have to enter the amount and the recipient's account number into the same device and get another hash to allow the transaction to proceed. My computer could be completely compromised, and all that the attacker would be able to do is read my balance and transfer money to people I've paid before.

Re:Scare tactics

[QuietLagoon]

Let's see, just exactly WHO should be responsible for the banks' security?

Your initial premise is incorrect. You need to ask who is responsibility for the credentials (e.g., passwords) that the customers hold to their account. The bank's security is usually (emphasis on usually) fine. It is the customers who do not understand security of electronic finance.

In other words, people, who know that leaving the car keys in the ignition is insecure, are willing to click on an email attachment from someone they do not know. Why is this the bank's fault?

Re:Scare tactics

[alveraan]

What's even better is that this method is completely OS and browser independent. I actually switched my accounts to a different bank to be able to do home banking on linux using firefox and haven't been looking back ever since.

Re:Scare tactics

[hedwards]

Let's see, just exactly WHO should be responsible for the banks' security? Some random customer who is using them, or a staff of professionals whose entire industry is founded on the protection of money belonging to random customers? Seriously, if the banks were to pull that stunt on me, I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards. I don't think that it's entirely unfair to require that a person be using secure equipment if they want to be protected in this fashion. But the anti-phishing requirement is in and of itself fishy. Realistically anti-phishing software isn't necessary for people that don't give out their personal information through unsecured sites. It's tough, and requires things like DNSSEC, SPF, DKIM and such, but it's definitely possible to do well without it.

Whether or not I'd be fine with this sort of thing would ultimately depend upon what evidence was required to determine whose side the leak was on. Just because a computer has thousands of spyware programs and viruses doesn't necessarily mean that the breach occured there. And it certainly should not absolve the bank of checking for screwy transactions.

But I think there's an ulterior motive here. As a part of Chip-and-PIN, the UK is testing a brilliant two-factor authentication system this year for cards that will cryptographically render browser, PC, and merchant security moot. It's possible this is being used as a "warning shot" to frighten consumers into picking up the tab for the high cost (approximately $70) of the handheld security module. That technology has been around for quite a while, and has seen very little use for exactly that reason. It's unfortunate, but without requiring that banks use the technology they won't. And the current administration is has a pro-business to hell with the consumers mentality in terms of the financial industry.

They have the technology to keep it safe now. I think they're just too cheap to fund it themselves. (And I really wish we'd start seeing that kind of security technology available here in America. I'd switch banks and pay the $70 myself in a heartbeat.) Wouldn't make much of a difference, banks aren't required to disclose security breaches, monitor checking accounts for suspicious activity and in many cases engage in shoddy security practices because nobody's checking up on them.

I'm probably more cynical about this than most people, but it took TD Ameritrade months to admit that they had lost personal information. And I still have no idea as to how much they actually got. Right now I get printable spam complete with everything except credit card info from online pharmacies.

Re:Scare tactics

[Nursie]

Perfect up until this bit - "The retailers just send your PIN along, they don't care if it's your personal PIN or a generated PIN."

This has never been the case in the UK, we have never had PIN entry at the retailer until the EMV (chip 'n' pin) cards came along, and they work the same way as you suggest - the pin pad and card reader are trusted devices and the PIN never leaves them. They are encrypted, by the card, along with the amount of the transaction (which is displayed to the user, not entered by them) and various other bits of information. The retailer's network never gets your PIN, only the device and the bank's word that it was correct.

Re:Scare tactics

[J+Isaksson]

The problem is this; in the first case the internet cafe browser, hacked, can display what you wanted to do (pay $50 bill to AT&T) and send an entirely different transaction to the bank (move all money on savings account to random account in Jersey) Since the PIN is totally independent of the transaction, the only thing that you authenticate is that it's actually you getting ripped off, not anyone else ;-) Case 2 will limit the amount that gets stolen, but except for that the same weakness applies.

Re:Scare tactics

[nospam007]

Of course, that's been tempered with the anti-money-laundering laws requiring identification for cash transactions exceeding $10 000. But still, if you owe $10, then the debtor must accept a $10 bill as payment in full.

But he has to count the money, control the employees, buy expensive treasure vaults, guard the money inhouse, pay a security company to transport it to the bank, risk lives, buy insurance and and and ...
Who wants that nowadays?

Re:Scare tactics

[Giant+Electronic+Bra]

ROFL! So, let me get this straight. You're PC is infected with whatever malware, or just buggy client software you happen to have installed, and via interacting with my financial application you leak information, etc and get 0wned. And you want to make ME responsible!!!!!!!????? Wow, what a fscking smart idea! Excuse me, you missed a couple of points my friend. 1) It is your PC, you own it, you operate it, you install the software on it. What business is it of mine telling you how to manage it? 2) Even supposing I WANTED to tell you how to manage it. Lets say I provide you with a 'free auditing tool', it is STILL not my responsibility to see to it that you use it wisely. 3) Supposing some law DID make me responsible for your PC. WTF??!! How do I have any possibility of carrying out that expectation. Shall I ship you a lock box to put the machine in so its physically secure? Shall my technicians show up and install my software (AND NOTHING ELSE) on my prefered OS so I know you're secure? I'm SURE AS HELL not going to insist on ANY less than that if I'm on the hook!!! The whole concept is preposterous on the face of it. An absurd proposition which cannot be implemented in the real world. Now, lets be clear here, both the customer and the bank have an interest in being able to do secure business together. So as you say, picking up a $70 tab makes perfectly good sense, and maybe the cost should be split between you and the bank. But also recall, they're a business, they WILL make back that money, so basically I think it is smarter if they just say 'You need a device that complies with XYZ standard to talk to us.' And maybe ONLY THEN does the bank assume liability. Personally if I was the bank I'd still be nervous. Yeah, banks should be, and are, on the hook for whatever happens inside the limits of their own networks, but outside of that, it is just not POSSIBLE.

Re:Scare tactics

[EvilIdler]

There's a links-ssl. As long as your bank doesn't use stupid plugins
to display the login box (like mine unfortunately does), that should work.

Re:Scare tactics

[Teun]

Since many years my RABO bank uses the Random Reader of vasco.com
It is supplied free of charge, when you lose it or it breaks you can pick a new one up for free at any of the branches.

Re:Scare tactics

[hibiki_r]

I for one think this is madness. Why? because there's no way to be 100% secure on the internet. It doesn't matter what tools you use, or how you do it: bugs happen, and from bugs come exploits, and from exploits, bank fraud. If the bank is to blame, many things can be done about it systematically by banks. They have the resources to enhance security, and the ability to talk to other banks to deal with fraudulent transactions.

If the user is to blame, the banks don't give a crap. If your money flies away, they wouldn't care. Transferring all your funds to a russian account? oh well, they used the correct password, so it's the customer's fault. A bank can handle it if one in ten thousand transactions is fraudulent. All an average Joe needs to have their finances wrecked is ONE transaction. Which would be acceptable and all, if there was such thing as 100% security.

Just think about it: what do you need to have real security? Even a normally trusted site can be hacked to embed a 0 day exploit of any browser, in any OS. So you better have a banking-only browser. Even if you do, chances are your OS isn't truly safe from a privilege escalation attack of some sort. So I guess you need to run a separate install of the OS, used just for banking. And then someone could run a man in the middle attack after hacking your router, which leads to even more layers of security, all of which can still be broken.

In the end, nothing short of a closed banking appliance connected directly to their network is free from tampering. And that's just because our friend the bank would be liable for the defects in its software and hardware.

With laws like that, expect a booming banking insurance industry, where insurance companies take the risks that normal people can't take. How is that any better than what we have now?

Re:Scare tactics

[Idiomatick]

:p that defeats the point of ebanking now doesnt it lol. There is a limit in security vs annoyance. I'm sure giving people card readers in the 1st place would be a devastating security breach.

Re:Scare tactics

[Urza9814]

Wow. That sucks. I'm in the US, and I use cash for everything except orders online. But even many online stores I've found will accept cash or checks mailed in. They don't like it, but they'll take it. Hell, I know people who still don't have credit or debit cards.

Re:Scare tactics

Right. I also don't want my bank hiring a staff to troubleshoot and secure my neighbors' Windows 95 machines, and raise my rates because of it.

That is, unless they track what OS/browser you're using and set rates according to the time/money they spend on security on that platform, but I doubt they'd do that.

Imagine what it'd do for Linux/Firefox/Mac marketshare, though: "$5/month security fee for using Windows".

Re:Scare tactics

[Simon]

That is a good point which you make. The ABN AMRO have that covered too, for the most part. For most transactions this attack is possible, but there is an extra security precaution which kicks in when you try a transaction above a certain amount (1000 euros? I can't remember, I've only hit it once). When this happens you are also requested to enter the target bank account number and the sum into the device. Basically signing those details of the transaction too.

I'm generally very impressed with the ABN's solution to this. It actually seems to solution the problem and is not just another case of security theater.

--
Simon

Re:Scare tactics

[KDR_11k]

Why don't you sign those into the device at all times? For point-of-sale transactions it won't be an issue since the terminal already displays the amount you authorize.

Re:Scare tactics

[Tuoqui]

Unless they use a Paperclip

Re:Scare tactics

[ultranova]

You can enter this into a sleazy internet cafe's browser. It doesn't matter if that transaction's data is stolen or not, because the bank won't authorize your one-time PIN for a second transaction.

It doesn't need to. Joe Robber can simply use a phishing site or man-in-the-middle attack to get the one-time PIN before Joe Merchant can, and cash it in first. You've still lost money without receiving whatever it was you were paying for.

Now, obviously this system has the benefit of limiting the damage: Joe Robber can't get more from your account that you've authorized Joe Merchant for (assuming that the PIN encodes the amount to be transferred in it). However, you still shouldn't conduct business from a sleazy Internet cafe.

Re:Scare tactics

[KDR_11k]

Oh it's like that in many countries but most banks charge less, I think it's about 20 cents for a transaction if you use one of those transaction computers in the bank (it goes to nearly 3 Euros if you signed up for an account that's explicitely meant for onlibne banking but if you get a regular offline acocunt it's dirt cheap). Depositing money into your account is free AFAIK so if I want to transfer the 50 Euros I have in my pocket to another person I'd deposit it with the deposit machine, then go to the terminal and punch the data in so the money gets sent.

Re:Scare tactics

[u2pa]

The devices only cost around $5-6 now (if the bank orders a couple hundred thousands).

With the rise in fraud with online banking accounts, these devices are going to be implemented during 2009 (at the latest).

Re:Scare tactics

[Xtravar]

And he 100% accepts responsibility for his actions. And that's how it should be. But there's not enough of that going around right now, too many people wanting to blame their own lack of education on the world. If you don't understand a system to the point that you are not able to use it responsibly, you shouldn't be using it. Boy does this remind me of the current US economy!

If you bought a house with a sub-prime mortgage, fuck you, why should my tax money bail you out?

If your bank gave out tons of dubious loans out of greed, why the fuck should the Federal Reserve save you by diluting our currency (effectively taxing all citizens)?

By bailing out these people, nobody learns how to take responsibility for their actions, and thus it will continue to get worse until the dollar collapses.

Meanwhile, people who make frugal decisions bare the consequences of these idiots.

END OF RANT

Re:Scare tactics

[Shemmie]

And as a bonus, Egg Money Manager will store all your other bank usernames and passwords, log into the sites for you, and I'm assuming it scrapes the balance information from the HTML, displaying it on the Egg page. Does that sound at all... risky?

Re:Scare tactics

[tepples]

And what happens if your bank is Egg (now owned by Citi Group) It depends: Are there banks other than Egg that have ATMs in your town?

Re:Scare tactics

[Anonymous+Cowpat]

it's 20p of 1p and 2p coins, actually, not £2

Re:Scare tactics

[MeltUp]

Huh? Why is that? I have one of those things as well.
My debit card is a smart-card (has one of those chips on it), and the bank gave me a simple cardreader.

How it goes is:

- I go to my bank's site
- I enter my card number
- I put my card reader into the device
- I type the 8-digit number on the screen into the reader
- I type my pin into the reader
- The reader tells me the pin is OK (I assume that since it's a smartcard, if I type a wrong pin 3 times in a row, it destroys itself)
- the reader returns an 8-digit number I type into the login screen

I am in

If I want to transfer money, I have to use a different procedure. I don't have to do this for every transfer, I can make a few and then do it once for all:

- I type my pin into the card reader
- I type a number on the screen into the reader
- I type the total amount transfered
- The reader returns a number which I can use to confirm the transfer

I think this system is pretty secure. It's a minor annoyance, but after a few times it only takes a few seconds to do.

Why would giving the card reader to people be a security breach? Am I missing something?

Re:Scare tactics

[broomer]

with the Rabobank, there are four stages:
1 identify https://www.rabobank.nl/ in the browser
2 enter 1-time pin (out of random reader) and account number for identification and access.
your screen name appears on the site
3 enter transactions
4 you get transaction pin (and amount if it is >â500) and enter those in reader, and you get another 1 time pin for completion.

The Random reader has a clock built in, and this is also encoded in the pin, so your pin is only valid for a couple of minutes (clock running fast/slow is computed with step 1, at server-side) so you cannot authenticate with another reader as you logged in with

Re:Scare tactics

[Cederic]

Unless I explicitly give my banking credentials to someone (thus authorising them to act on my behalf) then frankly I don't give a shit who the bank gives money to: I haven't authorised them to give any of _my_ money to anybody else, and so they damn well better give it to me when I ask for it.

If someone defrauds the bank by pretending the bank owes it money (by pretending to be me) then they have defrauded the bank, and not me.

If the bank feel I have been negligent and enabled that to happen then they'd better be able to explain in court why on earth they trusted an almost certainly insecure (i.e. customer PC) source of identification when there are cheap, simple and very available mechanisms available that would considerably boost security and reduce risk.

(I also happen to have my primary accounts at a bank with such additional security mechanisms - although that's coincidence rather than intentional on my part)

Re:Scare tactics

[Cederic]

This isn't such a straightforward decision to make.

$5-6 times a few million customers plus the server-side support plus the application level integration make this a significant level of investment.
Now add in the incompetence of users and the associated increase in calls to the contact centre that this will cause.
Now throw in disabled users you have to support.
Now consider the usability aspects of the other customers who just want to get access to their account.

$5-6 per customer may be cheap. $30m up front, a 5% increase in contact centre costs, potential brand impacts by pissing off customers are not cheap, and need serious consideration against the financial crime and brand impacts of not rolling out such devices.

(Incidentally, where are you finding them for those prices? Last I heard they're an order of magnitude more expensive, although I'll admit I was surprised when I heard that - may be I heard the TCO, rather than the purchase price).

Re:Scare tactics

[Kludge]

And what happens if your bank is Egg You change banks.

Re:Scare tactics

Well, that basically says, don't pay for your dinner with pennies, and don't buy a stick of gum with a $100 bill. ie, the cash amount should be convenient for the business. You might need to visit a bank first. But not taking cash would result in a discrimination lawsuit.

Re:Scare tactics

The retailer's network never gets your PIN, only the device and the bank's word that it was correct.

Are you sure? I was under the impression that when using chip and pin, the card terminal securely checks that the pin entered matches the one stored on the chip.

As to the original point in the article, my take is that the onus is on the bank to make sure they have been instructed by an authorised person before initiating any cash transaction. If the customer, through negligence or incompetence allows certain personal data to go missing is irrelevant - because a bank always needs to make sure they know whoever is asking for a transaction to be made is authorized.

Re:Scare tactics

[Lonewolf666]

I don't use my bank's internet-based facilities, because they don't support my (more secure) choice of software- bizarre...

Fortunately my bank accepts the use of Firefox on Linux for their online banking site (PIN/TAN based). And yes, I DO reboot the computer for this.

But if they didn't, I might change banks over this ;-)

Re:Scare tactics

Switch to another bank

Re:Scare tactics

[smallfries]

Annoying though it is my bank worked around this awhile ago. Instead of entering my PIN through the keyboard they flash up a java keyboard with randomised key layout on the screen which I have to click with the mouse. It is more annoying than tapping in the code as it takes effort to read the screen and translate my PIN onto it, but it must save quite a few of their customers from keyloggers. If it becomes popular amongst other banks then expect a similar arms race to the one underway between CAPTCHAs and spammers.

Re:Scare tactics

Well, an other possibility (and way cheaper) is what another dutch bank "Postbank" uses, when you want to make a transaction you have to enter a pin, but this pin will be sent to your mobile. so it doesn't matter if someones steals whatever of your account because whenever they would like to make a transaction. you get a textmessage, all without the nice 70 bucks you have to spend..

Re:Scare tactics

[quintessentialk]

Let's see, just exactly WHO should be responsible for the banks' security? Some random customer who is using them, or a staff of professionals whose entire industry is founded on the protection of money belonging to random customers? Seriously, if the banks were to pull that stunt on me, I'd switch to cash as there's absolutely no reason to use the banks if they're not going to offer me basic safeguards.

I don't know if I agree with the rest of your speculation, but I certainly agree with this first part. I use banks primarily because I expect that my money is much safer with them than it would be if I maintained it myself (with coffee cans buried in the cemetery, grey-market loans, whatever). It is the bank's job to protect my money, no matter how unsophisticated (or sophisticatedly malicious) other customers are.

I used to be a stronger advocate of the 'users should be more responsible' mantra but I am starting to doubt that is realistic. The obligatory automobile metaphor would be to require government inspections and mandate liability insurance, and I don't see that going over very well, even if it were feasible. No, my ISP should protect me from spam, DoS attacks, email viruses, and bot nets, and my bank should protect my money. Now, if I were to fall victim to a confidence scam, well, that'd be pretty much my own problem, but even then, I think you could argue that if some third party knew or could reasonably be expected to know a scam was going on, and did nothing to stop it, then that party would share some liability. There's a lot of weight to be shouldered out there, and not by the users.

Re:Scare tactics

[Giant+Electronic+Bra]

And the bank's response to that is, you 'gave away' your information to someone. Why if the information, which they've told you is confidential, is revealed BY YOUR FAULTY EQUIPMENT, should they be on the hook to bail you out?

It is just the same as if you magic markered your PIN onto the back of your ATM card and someone stole it and drained your account. I GUARANTEE you the bank will wash its hands of your loss. And rightly so.

There is another factor involved. If the bank has to eat the losses, then the bank will pass them on to ALL the customers. So now you're not charging 'the bank' for the loss, your charging ALL THE PEOPLE THAT DIDN'T let themselves get ripped off!

So the question becomes "Why the hell should I pay for YOUR negligence/incompetence?' Let the idiot that let someone steal his private data off his machine pay for his own mistakes!

Of course, it makes sense for both parties to deploy a technology that is as secure as possible. The bank which doesn't should be loosing business (no matter who pays for the fraud). Still, I see NO reason why the financial institution should be liable unless the loss occured because of their act of negligence. Which exactly dovetails with liability law pretty much the world over.

Re:Scare tactics

[asuffield]

But I think there's an ulterior motive here. As a part of Chip-and-PIN, the UK is testing a brilliant two-factor authentication system this year for cards that will cryptographically render browser, PC, and merchant security moot.

Unfortunately it was defeated a few years ago (more recent attacks have improved on this further), and it turns out that the system is designed to only protect the banks, and not the users. It has almost no security against credit card theft at all. Any one of those devices that you stick your card into each day might be silently duplicating your identity, you'd never know it, and the banks wouldn't care (it's "impossible", so it must be your fault).

Re:Scare tactics

[jimicus]

If a bank only lets you connect via one OS/browser combo, you are effectively co-opted into the software ecosystem as designed by the bank- it's all their system. Very few banks in the UK have IE-only websites, so that's not a particularly big deal.

What is an issue is the wording - nothing in The Register's article suggests that they've included the magic phrase "where necessary". You could be using an SELinux box tightened beyond belief with no need for anti-spyware or antivirus, but if you get ripped off through a website, their first question is going to be "What antivirus are you running?" and if the answer isn't a well known commercial product, then it's your problem and not theirs.

Re:Scare tactics

[LordLucless]

I wish there was a "-1, Cannot Read" mod. The bit about pennies was an example. American currency is legal tender for debts, not compulsory for purchases.

Re:Scare tactics

[Cederic]

if the information, which they've told you is confidential, is revealed BY YOUR FAULTY EQUIPMENT As I said, my immediate comeback would be that they broke Information Security best practices (and basic principles) by trusting information from a known insecure source.

Not to mention your assumption that they'd be able to demonstrate that I had flawed equipment, that it was the cause of the security breach and that I had acted negligently myself (rather than being the unfortunate and unwitting victim of [dastardly criminal masterminds / my employer / my girlfriend / etc]).

Re:Scare tactics

[X0563511]

They sort-of do that now. Most pinpads now use DUKPT - Derived Unique Key per Transaction. Granted, the data being encrypted isn't changing, but the keys used to safeguard that are. It's REALLY hard to break an encrypted packet when the key is only used a single time.

Re:Scare tactics

[jimicus]

It depends: Are there banks other than Egg that have ATMs in your town? Brief explanation of a few things about how UK banking works for our US cousins because there are significant differences:

1. You get paid into your bank account. Virtually nobody is paid in cash. This isn't something you get to negotiate with your employer - they'll ask for your bank account details when you start working.
2. Checks (or, in UK spelling, cheques) are rapidly dying. Many retailers no longer accept them. More or less every bank account comes with a debit card.
3. ATMs owned and operated by banks are generally free for any UK bank customer to use. Privately owned and operated ATMs, OTOH, aren't - these are more commonly found inside shops and pubs.
4. There are usually no charges for day to day banking (eg. receiving statements, using a bank-owned ATM, depositing money). Foreign transactions and unauthorised overdrafts attract swingeing charges.

Re:Scare tactics

[penguinbrat]

I completely agree with you, EXCEPT for when the banks force you to use something that is and or was historically insecure - IE: Internet Explorer and Windows. I have never trusted the two together, let alone IE by it self for financial transactions, ESPECIALLY banking.

I've always used Linux and Firefox/Mozilla (back in th day) and always will - until the day comes that OSS manages their software like corporations do. I've opened an account one week, and turned around and closed it a few days later to open another because of the forced utilization of software I didn't approve of, and was very vocal about it to anyone who cared to listen - ironically, no one did but they did care to flag me in some global database somewhere as I had to answer for my "peculiar actions" by a bank other than the one who forced the use of IE/M$.

If the banks are really going to go through with this, and put the blame and responsibility ALL on to the customer - then they should re-think the policy of forcing their customers to use something that they may or may not be able to secure; I can lock down Linux like it is no ones business - but I would have no idea where to start in Windoze, and I'm not referring to just installing/configuring some firewall/virus app...

Re:Scare tactics

[Nursie]

"Are you sure? I was under the impression that when using chip and pin, the card terminal securely checks that the pin entered matches the one stored on the chip."

Not quite, the pin-pad and card reader (be they one device or two) encrypt the pin and present it to the card, which verifies whether the PIN is correct. The cryptogram is also, under some circumstances, sent to the bank for verification. The PIN itself is never read from the card and never leaves the trusted hardware in plaintext form.

"As to the original point in the article, my take is that the onus is on the bank to make sure they have been instructed by an authorised person before initiating any cash transaction."

Couldn't agree more.

Re:Scare tactics

[darkpixel2k]

Let's see, just exactly WHO should be responsible for the banks' security?

The bank is responsible for the bank's security.
I however, am responsible for the security on MY pc--just like I am responsible for buckling up in my vehicle rather than blaming auto manufacturers for not building an intelligent car with a padded bubble for me to ride around in.

The bank secures it's systems, and you are required to secure yours. I don't see what this is news.

Re:Scare tactics

Hell, I know people who still don't have credit or debit cards. Why do you associate with drug dealers and terrorists? Only drug dealers and terrorists use cash.

Re:Scare tactics

[zotz]

"Can't have it both ways."

True, but then neither can the vendors and others. Right?

When they advertise that their system is so easy, anyone can do it. It is really intuitive. Then they can hardly come back and say that the problem was due to lack of proper training on the part of the users. They just got finished selling the system on the premise that no training was needed.

And in the case of banks, if they require a particular, OS, browser, other settings to work, they can hardly properly claim that the customer is fully liable.

But, even though this may be brain dead, if it scares people into looking into the situation more closely, it may do some good despite being borked.

all the best,

drew
--
http://packet-in.org/wiki/index.php?title=Main_Page
Packet In - net band, libre music, sometimes gratis

Re:Scare tactics

[pipatron]

Perhaps a stupid question, but why do you reboot your computer?

Re:Scare tactics

[lindi]

Is links-ssl really safe for banking? last time i checked it did not even validate SSL certificates.

Re:Scare tactics

[Wrath0fb0b]

And what happens if your bank is Egg (now owned by Citi Group) and tell you every time you log in that you should try the Egg Money Manager, which is only available as an ActiveX control? It's frustrating to keep telling users 'disable ActiveX' and have banks tell them to enable it (and use IE), and if they do then I think they ought to accept at least partial responsibility for the user's poor security. I don't know about you, but what I tell people about ActiveX depends on their level of competence. For the idiots, I say 'disable ActiveX'. For the clueful, however, I explain that ActiveX is, for security purposes, like running the program locally and that they should therefore enable ActiveX only for trusted domains distributed over HTTPS. They tend to understand the basic point: accepting an ActiveX control == allowing this website full access to my computer (and usually ask me why the hell MS would embed such a thing into a program that is, by design, exposed to untrusted sources).

In that context, I have no idea why you would have a problem with ActiveX controls from your bank - if you do not trust them to due something malicious to your computer then perhaps you shouldn't bank with them. For the incredibly paranoid, you can always create a VM exclusively for Egg and revert it back when you are done.

There are a lot of problems with the ActiveX model, its use in cryptographically secure protocols with strong authentication and encryption is not among them.

Re:Scare tactics

Bo! He just got served!

Re:Scare tactics

[DarkKnightRadick]

From what little was said in the article, it appears that it's saying that if the end user doesn't take reasonable measures on the client side of the system, the banks won't be responsible for losses incurred, which IMO is reasonable. If I didn't take precautions to safeguard my data and money, then it really is my fault if I lose it all. OTOH, it didn't say anything about banks not being responsible if they (the bank) got hacked.

Re:Scare tactics

[bigpresh]

Let's see, just exactly WHO should be responsible for the banks' security? Some random customer who is using them, or a staff of professionals whose entire industry is founded on the protection of money belonging to random customers? The bank are responsible for the bank's security; the customer is responsible for the customer's security.

If you take no precautions to ensure your machine stays safe, and log in to your internet banking with some keylogger running which steals your account details, you could be considered negligent, in the same way as if you'd revealed your PIN to someone else.

Re:Scare tactics

[Jesus_666]

In Germany chip-and-PIN has been one of the two traditional homebanking concepts (the other being PIN-and-TAN) via the HBCI standard (now called FinTS). We distinguish between four classes of card readers:

• Class 1 readers are just smartcard interface; you enter the PIN via the computer's keyboard. They come at about 30-40 EUR.
• Class 2 readers are like class 1 plus a keypad. ~70-80 EUR, unless your bank sells you a branded device for less.
• Class 3 readers are like class 2 plus a display. Upwards of 100 EUR. Fancy ones with additional biometric interfaces (not useful for homebanking) come at 250 EUR and up.
• Class 4 readers are like class 3 plus support for an own Secure Access Module so they can sign transactions with their own credentials (to make card and reader uniquely identifiable for each transaction). These aren't used for homebanking, but the planned German healthcare smartcard will require them.

Any of the first three classes can be used for homebanking. A few years ago my bank issued a class 1 reader with their homebanking package; when my parents had to get a now one because the old one got flaky they got the current standard-issue device, which is class 2 - however, that might also be because the company the bank gets the readers from has removed all class 1 readers from their lineup.

Class 2 readers are arguably more secure, but class 1 devices have the advantage of being small and robust, which is useful to me because I lug the reader around in my backpack. Having the choice is nice and sice HBCI is an open standard there are implementations for Linux (GnuCash) and OS X (MacGiro, BankX, GnuCash), so keyloggers are a bit less of a worry.

Re:Scare tactics

[jhol13]

The GP post is a bit misleading.

Every shop accepts cash. Every[1]. None of them take any extra fee. None. Only in banks when dealing with a (human) teller you "lose".

OTOH every adult does have a debit card as it is much easier and safer than a lot of cash. Checks are slow, cumbersome and unreliable, I do not understand them at all.

[1] Online shops will usually require credit card or COD. COD can have quite a high extra charge.

Re:Scare tactics

[penguinbrat]

"If you don't understand a system to the point that you are not able to use it responsibly, you shouldn't be using it."

Do you understand the inner workings of a fuel injected turbo with dual over head cams - or do you have a general idea and just use it assuming safety from the manufacturer?

Do you understand the inner workings/procedures and protocols that it takes to fly a commercial airliner from LA to NY - or do you have a general idea and just use the transports assuming those that be aren't putting your life at risk for a mere buck?

Do you understand biology and the inner workings of your OWN BODY - or do you assume and rely on doctors and those in the medical profession to NOT kill you mistakenly for the treatment of a zit?

"You either have to submit to someone else making sure you are competent, or you have to be willing to accept responsibility for the outcome of your incompetence." - Typical arrogant and assinine comment from the godly geeks among us, when your inflated ego can go an entire day with out relying on ANYTHING that ANY manufacturer claims is perfectly safe and secure to use (regardless if it is or isn't - read M$ and ANY software corp) then, AND ONLY THEN would you have a valid argument to make and have something to back it up. Until then, you need to wake the fuck up and stop expecting everyone else in the world know as much about computers and the internet as you do - because you rely on company-X telling you using such-n-such is perfectly safe, just as much as grandma and little Jane down the street relies on M$ and the billions of other software manufacturers telling them everything is safe to use their products - not to mention teller X and sales boy Y doubling as a pretend security expert that just "knows" it is safe (hint, they are told to say that).

Arrogance like this is a big part of the problem - Marketing takes crap like this and runs with it, not to mention the legal department - who cares if it is complicated and way to much to comprehend for 90% of the population, the "experts" that do know what they are talking about blame everyone for not knowing what they know, so we'll do the same, they just don't mention the education and knowledge base behind it - but who cares about that?

EVERYONE SHOULD ALREADY KNOW IT! - and that is the biggest load of arrogant bull shit I've heard in a long time.

Re:Scare tactics

[Kalriath]

Holy mother of... your card actually has your PIN on it?!? Here in NZ, backwards tech capital of the world, our cards don't even have an inkling of your PIN - they only know their number, and your PIN is encrypted (by the PIN pad) and forwarded to the terminal, then forwarded over a secure link to the bank who sends back either "Yes" or "No" (with a return code indicating the specific reason for the answer)

Re:Scare tactics

[Lost+Engineer]

So valuable information isn't sitting on his windows partition -- not 100% perfect as a trojan could in theory mount his linux partition in windows or just read the device directly if it has admin priveleges, but it will foil the most common attacks against windows.

Re:Scare tactics

[rastoboy29]

While I applaud your sentiment, I have to ask if you've ever actually dealt with normal users?  They are, simply put, not competent to keep their machines secure.  If you confuse the idea of an executable with a flat data file--you simply can't do it.

On top of that, personally, I have yet to find any anti-virus/anti-spyware that is worth a damn.  Meaning, I keep finding normal users machines that have that stuff, but yet are still infected with every crapware known to man.  They only seem to work...for the people who don't need them.

Re:Scare tactics

[Giant+Electronic+Bra]

OK, let me rephrase 'faulty equipment'. ANY reason whatsoever by which the information was revealed by YOUR system. I call it 'faulty' in the that obviously you didn't INTEND to reveal the information.

As for them having to prove you acted negligently, why would they have to do that? The material fact of the information breach itself is sufficient proof of that. You tried to keep a secret and you failed. If your gf etc stole from you, then well you need to be going after them, not the bank, unless you can show some way by which the bank should have known better.

And that brings up the NEXT flaw in the 'bank should be responsible' argument. Moral Hazard. If the bank is taking the fall, what exactly is it that stops people from just stealing their own money? Presenting a moral hazard like that is to be avoided.

Re:Scare tactics

[owlstead]

I do think these things were introduced by the Dutch Rabobank. I also know that these devices are not made by RSA but by Vasco. Easy to check, their internet address is on the back.

Basically these things work by using a generated number by a clock inside the device hashed together with some authentication info (the number of your account). This number will stay valid for a limited number of time and cannot be generated without the device. More information? Just look up the patent numbers on the back of the device: US Patents 4.599.489 and 4.609.777 .

You certainly have to fill in the total amount of the "commit" (which can consist of multiple transactions. If you go even higher you will have to fill in yet another number. Previously, at least at the Rabobank, they forgot to tell you that the number you had to fill in was the total transaction amount, so there was less safety (if only one person picks up that the amount is incorrect you can still easily identify a bad transaction leading to the attacker.

It's pretty secure, but its not foolproof if you are not sure that the site you are visiting isn't that of the bank. E.g. an attacker could just tell you on a spoofed site that you would now have to enter the amount in cents instead of euros, and 99% of the people would fill in that amount without even thinking about it. Or the spoofer could just wait until you enter a sufficiently high amount, and send it to its account on the Bahama's.

Re:Scare tactics

[owlstead]

These are for internet transactions (which can also be initiated from most post order companies over there, by a popular scheme called iDEAL). So you will have to enter the number manually. The device is not connected to the PC at all, which is a major selling point (no hardware or OS requirements, no chance of loosing your PIN).

Re:Scare tactics

[quanticle]

So, by your argument, if a thief breaks into my house and steals my credit card, I should be on the hook for all the losses, since my house is not as secure as a bank vault. I think that's unreasonable.

And that brings up the NEXT flaw in the 'bank should be responsible' argument. Moral Hazard. If the bank is taking the fall, what exactly is it that stops people from just stealing their own money?

We already have a term for activities like that. Its called "fraud" (and "money laundering" in some cases). If the bank catches you doing that then they already have the right to press charges and send you to jail.

Re:Scare tactics

[Lost+Engineer]

Sorry to reply twice. I actually think a better solution would be to encrypt the folders on Windows where personal data is stored. Of course not all versions of windows support this, but if you're on one that doesn't you're going to want to upgrade to a more secure version anyways.

Re:Scare tactics

Whats really sad is that most banks themselves abuse the only real guarantee of security by hyping rediculous snakeoil security measures some crackpot in IT cooked up.

The real guarantee is the preexisting trust relationship between the browser and banking sites secure web site.

There are quite a number of useless countermeasures all succeptable to Active MITM and then trivially circumvented currently being used in production throughout the world.

1. The "secure keypad" (great way to fool key loggers unless of course target names of clicked objects are also logged)

2. secret pictures, keywords and phrases that you see to tell you that your bank is really your bank. This is most dangerous as it confuses the user as to what signals are most important to ensure your not being swindled and does little to nothing to protect from an Active MITM attack)

3. Crackpot security assurances really need to be made outright illegal yet are still unfortunately quite popular. These include gif images of "secure padlocks" shown on the banking companies insecure home page while simutaneously asking for secure credentials directly from a form on that same insecure page.

Having a firewall, anti-virus software and spyware protection does not mean your computer is secure. Firewalls don't protect against client initiated actions which today is by far the most successful method of zombifying PCs. Anti-Virus and spyware detection software only protect against known signatures -- as a technical solution this can never relabily secure your computer.

Which brings up my real point. Its ususally *NOT* the OS's damn fault its that certain classes of people are easy to fool. (Running ActiveX component == Free Porn) Its not unreasonable for a person not easily fooled to automatically have a more secure PC without having either a firewall, anti-virus or anti-spyware software.

Most hardware token cards have a history of security problems that are not easily solvable. What the bank just needs is an out-of- band method of having you verify and sign-off on your work online. Attempting to go the other way (providing PINs..etc first) will likely result in the same issues due to lack of crypto bindings and if your PC is owned you cant trust anything you see or type on the screen anyway. Your bank simply flags your transactions as awating verification. This can be with the help of a token card with the necessary pin/transaction binding or simply an offline measure such as calling an IVR when your finished to read back summary of and confirm the transaction. ...

Honestly if they are going to hand out cards with displays and buttons to enter PINs how much more would adding a USB port add to the cost? Then the Internet/your PC is just a dumb condiut for a secure end-end conversation between the bank issued card and the bank itself.

Re:Scare tactics

[Grail]

Then again, the bank accepts the connection for normal purposes when it obviously comes from a non-trustworthy platform.

If I was a merchant and knowingly accepted counterfeit notes as part of a transaction, I cannot claim I was defrauded. In fact, I become party to the counterfeit.

Re:Scare tactics

[plover]

But DUKPT is still based on the merchant's PIN pad doing the encryption. Consider that the merchant might be the secret key holder, decrypting and reencrypting the PIN before sending it on to the bank. It does not get the merchant out of the position of being trustworthy. Even with DUKPT, I, Joe Shopper, still have to key my most secret PIN into this PIN pad and trust the merchant doesn't have a sniffer and is encrypting everything properly.

With two-factor Chip-and-PIN encryption and a handheld card reader, I don't have to worry because the merchant never has the valuable part -- my personal PIN. They just get a single-use PIN.

Re:Scare tactics

[Original+Replica]

I understand it's actually against the law (sorry, no citation) to refuse to accept cash for the full amount...But still, if you owe $10, then the debtor must accept a $10 bill as payment in full.

I City of New York Parks Department will not accept cash for it's membership fees. I've tried to pay in cash, and was refused.

Re:Scare tactics

[eugene+ts+wong]

In fact, when I last checked, President's Choice Financial refused IE.

Re:Scare tactics

[plover]

That's not the new two-factor system that they're testing or that I was referring to. I'm talking about the ones that use things like VASCO personal card readers. The bank sends you both the smart card and the reader. You keep the reader in your pocket, and use only it to generate PINs for your transactions.

The encryption hardware never leaves your possession. It does not electrically interface with the merchant system. It's used to generate a one-time-use PIN that you key into the merchant's terminal. The merchant doesn't get your original secret PIN, just the one you generated for your transaction.

Re:Scare tactics

[Reziac]

Which also ensures a monoculture and a uniform point of failure when (more likely than if) their custom setup is compromised.

Re:Scare tactics

[kilo242]

Maybe a dual-boot system, and he normally uses Windows

Re:Scare tactics

[CastrTroy]

How do you ensure the POS terminal hasn't been tampered with to show a different amount than the value actually being charged. Sure, it's not the most likely of hacks, but I wouldn't put it past some retailers.

Re:Scare tactics

[brusk]

Untrue.

Some restaurants have gone card-only.

http://www.npr.org/templates/story/story.php?storyId=6246139

Waiting to the end of your meal to pay isn't incurring a "debt" in a legal sense.

Re:Scare tactics

[CastrTroy]

What about when it loads that data into memory? At that point it becomes unencrypted. And it may even place it in swap, and then who knows when it will ever be erased. Can you use encrypted swap in Windows yet? Anyway, it's much more secure to boot into a Linux Live CD, or just regular linux install with everything mounted as read only, except home, which could be cleaned anyway on each boot, so as to ensure you're booting with the same software each time, and you don't have to wait for the slow CD drive to load the OS.

Re:Scare tactics

[CastrTroy]

If all they specified was that you had to be running up-to-date antivirus software, without listing any specific programs, then I think that just about any would do. ClamAV would probably suffice. It's used on email servers all over the world to scan for viruses. I don't see why it wouldn't be an acceptable solution for your home computer. If they don't list specific programs, then I don't see from a legal standpoint how they could say 1 antivirus software was better than any other.

Re:Scare tactics

[jc42]

Moreover, given the advantage Gate's OS has maintained for decades and its nearly endemic nature of viral infection...pretty much anybody logging onto a bank's servers has a virus on it and all a bank need do is task the police to recover a computer, find a virus and claim the bank is not at fault.

Well, now; it seems this situation is ripe for a nice setup. Get an account at a bank such as the Egg mentioned in other messages here, which strongly encourages use of IE and includes Active-X code in its pages. Arrange for your account data to be stolen by malware from a site that uses Active X as an infection vector. When the bank's investigators find the malware on your machine and disclaims responsibility, file suit against the bank, claiming fraud and entrapment (or whatever those are called in UK law). Show in court that they strongly encourage use of IE and Active X, which are well known to be major security risks.

I'd think some UK solicitors with a bit of tech knowledge might have a bit of fun taking on such a case.

Of course, you'd want to do this with a new account, and don't put a whole lot of your money into it.

It's only a matter of time before such a case happens. It might be best if it happens to people with the technical knowledge to show in court what's really going on. Maybe you can force the banks to not require customer use of the least secure software available.

Re:Scare tactics

[CastrTroy]

I'm not sure why one would sign up for a bank called "Egg" in the first place.

Re:Scare tactics

[blogjohn]

There is nothing (except common sense) stopping you from sending cash in the mail to pay what you owe. These institutions are pointing out that sending cash would be stupid for you to do so because that medium/method of exchange cannot be independently confirmed or authenticated.

Re:Scare tactics

[Dan541]

"About damned time!", I say.

Banks are held accountable for THEIR systems.

Users should be accountable for THEIR systems as well. Who are they to say my system isn't secure?
It's my choice not to use anti-virus software who are they to question my security.

But I actually agree with you users do need to be held accountable. Ignorance shoulden't be an excuse espesially when it affects others e.g spam bots
Zombie machines cost me money because I'm on the end of spam and DDoS attacks so it's only fair that the users who's incompitence leads to these things should be held accountable the same way I am if I hit another vehicle on the road.

~Dan

Re:Scare tactics

[Almost-Retired]

I agree that there should be a clear demarcation line between MY computer, and the BANKS system, however that usually leaves a sizable amount of copper out in no mans land, and in the case if using a home based wifi in lieu of proper cables, the possibility that the wifi can be eavesdropped on is significant. In that wifi event, I'd hold the user responsible.

My bank at one time had an IE only policy, and when I walked in to close the account because I couldn't access it to pay my bills, they realized maybe that wasn't the smartest move cuz a the time, the account held a goodly portion of 5 digits. So we compromised, and the active x command that takes you to the login page was substituted by issuing me a direct link to the login page. After that, it all just works. Now they've gone to a double password, and you must get through both screens to get in, but the passwords are still limited to 8 characters each, a windows legacy I think.

--
Cheers, Gene

Re:Scare tactics

Agreed. I use 'non-common' software on my computers. I set the NSA vetted, Bruce Schneier examined software setting to 'high' meaning we shut the bad guys out at every turn. I keep the system software (and most of the other software) updated on a semi-weekly basis. I'm behind a hardware firewall, and have a software firewall installed. No unnecessary ports are open. I purge the browser cache immediately before and immediately after visiting the bank web site. I never ever follow 'quick links' from email. I keep a close watch for phishing in the toolbar, and never give banking information to anyone over the phone. I also keep a lookout for 'skimmers' on card readers. I'm not anal about it, but I warn people about insecure software. The usual response: Meh! These same people cry bloody murder when they lose a nickel through any kind of scheme. Well sparky, your computer connects to the banks. The banks is secure. Your's isn't. The bad guys can't get past the banks security, but they can easily defeat yours. Is it the banks fault your system isn't secure? No. Is it your fault? YES! Its not what many very lazy people want to hear, but its the truth. Next!

Re:Scare tactics

[The_Wilschon]

Are you claiming that my entire thesis is untrue, or merely that I gave a poor example? It is not clear.

If the former, I'm afraid you'll have to provide more evidence than a single countercase to a single example.

If the latter, I'm still not sure I am convinced. I can't hear the audio at that NPR story on this machine, so I am only going on the story's summary, which is very sparing with details. However, from what I can glean from reviews of the cafe, it seems to be a walk up and buy food, then sit down and eat it type of place. This sort of restaurant clearly does not have you incurring a debt, since you pay for the food before you receive it. Thus, the legal tender thing doesn't apply anyway. Please correct me if I am wrong about the style of restaurant. I'm always glad to revise my mental model of our laws in favor of accuracy.

Re:Scare tactics

[Kristoph]

The device you speak of (which I happen to actually use for one of my bank accounts) includes an additional step which is the challenge code.

You slot in your smart card, enter your pin into the device, followed by the challenge code, and it returns the response code which you must transcribe into the site. It is something that works on the internet but it probably would not work well for commercial transactions because most users would consider it too cumbersome.

In any case there is a pretty straightforward way to bypass this security. You spoof the bank site and, in real time, interact with the real site sending the user the real challenge code so they provide the real response code and then, once your in, you transfer the funds from the users account to some other account (which you presumable set up under an assumed name). If you are a reasonable competent crook this actual transfer process is automated and once you've completed the transfer you change the users pin code so they cannot see the transaction for the X days it takes them to order a new pin code from the bank.

]{

Re:Scare tactics

[p.gogarty]

for the high cost (approximately $70) of the handheld security module.

I and everyone else I know who banks in the UK and uses online banking was issued with one of these handheld security modules for free 6 months ago.

Re:Scare tactics

[complete+loony]

Sure you can. We also take away driving permits if you break the rules. You should lose demerit points if your machine is found to have been compromised.

Re:Scare tactics

[CBravo]

Actually, the ABN Amro has a pretty stupid scheme. Although you cannot change the amount, you can only verify the target account via the browser. This can be crhacked (and has been in other countries).

There exists no fool-proof system in the Netherlands to my knowledge.

Re:Scare tactics

Yes, the card has the PIN stored on it, BUT it's a smart card. That means there isn't anything that can read the PIN from it. It's stored inside the chip, and you can't access it. There are devices that can check a given PIN and see if it matches the one on the card, but they are harmless as 3 wrong tries causes the smart-chip to disable itself.

Off course, this is only as secure as the smart chip is, but that's pretty secure. I think banks presume it requires such knowledge and equipment, that people capable of it will be able to do far more lucrative things. (not sure if they are right, but we'll see...)

Re:Scare tactics

[mcrbids]

I don't use my bank's internet-based facilities, because they don't support my (more secure) choice of software- bizarre...

Since I rely on online banking considerably, I wouldn't bank with a bank that wouldn't let me use my choice of O/S, be it Windows, OSX, or *nix. (I use Firefox on FC8 and OSX with my bank without any noticed issue)

Switch banks. You know there are tons of 'em. They all want your business. And write a letter to your old bank as to why you are leaving. Will your letter matter? No, or at least, not right away. But it will make a difference if you aren't the only one. And you'll be safer, whatever the legalities of the issue. I mean, who wants to go thru the legal hassle that comes when some farquad steals your identity because they got your password to your bank's website?

Re:Scare tactics

[jimicus]

If they don't list specific programs, then I don't see from a legal standpoint how they could say 1 antivirus software was better than any other. They're banks; they make their own mind up regarding the law.

It has been known in the past for banks to report you to the police if you continue to insist that you're not the reason why £1000 suddenly went missing out of your account. After all, the bank's decided that it's your fault, so if you continue to make a fuss then you're trying to defraud them.

I suspect the combination of tactics like this and a small-claims system which is generally fairly straightforward for a lay person to use will just result in more banks being sued. Bank won't return the money? Take them to court and ask questions later - and I'm sure the judge will be very interested to learn that the bank had you arrested as soon as they received the court summons.

Re:Scare tactics

[rastos1]

Do you understand the inner workings of a fuel injected turbo with dual over head cams - or do you have a general idea and just use it assuming safety from the manufacturer?

If the "fuel injected turbo with dual over head cams" fail, then I'm not dangerous to others. In worst case I won't be able to start up. However I do understand how breaks work. I know that I have to regularly check the level of breaking liquid. I know that I have to have the front and break lights and blinkers working. I know how they work and how to check that they work. And if I find out that they do not work, I know that I can't keep on driving.

Do you understand the inner workings/procedures and protocols that it takes to fly a commercial airliner from LA to NY - or do you have a general idea and just use the transports assuming those that be aren't putting your life at risk for a mere buck?

No I don't. However I do not fly (control) the commercial airliner. The crew does. The ground personel ensures that it is working. Again: by not knowing the internals of airliner I'm not dangerous to others.

Do you understand biology and the inner workings of your OWN BODY - or do you assume and rely on doctors and those in the medical profession to NOT kill you mistakenly for the treatment of a zit?

I don't know about you, but I had biology classes in school. I know that I should seek help if I suspect that something is wrong. Having a raised temperature is wrong; having aches is wrong; having bones sticking out of body is wrong -> seek help. But that is not important. Important is to know, that I should not wander on the bus station if I have infectious disease.

Yes, you should know enough about the system to not to be a threat others.

Re:Scare tactics

[rapiddescent]

the handheld security module (in the UK) is an APACS standard Chip Authentication Programme reader that has 3 functions:

• One time passcode (used by barclays): generates a code when the user enters their bank chip card and the card PIN.
• Challenge/Response (used by natwest, RBS et al): generates a code when user enters a chip card and a number given to user at the time of the transaction
• Signature (not used by anyone that I know of): generates a code when the user enters a chip card, an amount and a code given at the time of the transaction.

Certainly, Natwest and RBS have issued new Debit cards over the last few years that have CAP functionality and will work in any of the APACS readers from any bank. barclays, Natwest and RBS are giving the readers out for free because the business case for diminished fraud loss (currently £100m/year in the UK for ebanking) will more than pay for systems. The reader is a small unit (market leader for manufacturing is the french company Xiring and are powered by batteries and are not connected to the PC.

Also, with Faster Payments due in May - this is where anyone can wire money from any bank account to another in less than 30 seconds - banks have to implement security up front because they don't have the luxury of 3 days 'clearing' to find fraud.

Vulnerabilties: I'm a little concerned that people will enter their PIN into anything nowadays. The PIN used to be something you only entered into bank owned machinery - now the proliferation of 3rd party devices for Chip-and-PIN and the new CAP systems I think the value of the PIN is diminished. We've seen successful fraud at Shell petrol stations where customers entered their PIN into a fake card reader.

The cool thing about CAP is that the code that you get from the reader has passes back a bitmap in the not-really-random code that you see on the wee screen. So data from your card can be sent back to the bank - things like transaction counters and so on. Some banks don't use this data (hence they have weak systems), others do at the risk of unusability with locked out cards and so on.

Re:Scare tactics

[rapiddescent]

Actually, an EMV card has 2 PINs, an online PIN and an Offline PIN but all banks that I know off set them to be the same data.

Think of the card as a computer. It exposes various methods to the host unit, such as getCardHolderName(), getCardISONumber(), getExpiryDate() etc. None of the private attributes are visible and there are no setter() methods that I know of. The card has internal mechanisms such as transaction counters that help prevent card copying attacks. Everything on the card is signed and secured by a digital certificate.

Re:Scare tactics

[Lost+Engineer]

Can you use encrypted swap in Windows yet? Maybe. I just learned today that BitLocker, which I don't have apparently, encrypts a whole partition, which would be everything but the windows equivalent of your "/boot." I could be mistaken, but I imagine this would encrypt your swap. You need either Vista Premium or a server edition for this feature.

Re:Scare tactics

[jrumney]

They're not just testing, they're already rolling them out to customers, and there is no suggestion that customers will pay. My wife got hers from Barclays last year, and Nationwide has warned its customers to contact the bank if they are travelling between April and July to avoid having one sent to a vacant address, and for instructions on what to do when the old system is switched off in August (probably telephone banking).

Re:Scare tactics

[MadMidnightBomber]

UK banks are - in general - not as fucked up as some of their US counterparts. I can access both Lloyds TSB and HSBC from Linux/firefox with no problem at all.
If they did bring out a Windows-only website, I would be looking for a new bank.

Re:Scare tactics

[rapiddescent]

not in the UK. The RNIB are currently pursuing any bank that uses CAPTCHA that has no accessible alternative because it breaches the Disability Discrimination Act. Of course, if you supply a plain text version then the attackers will use the path of least resistance. Also, another problem that the DDA gives us is that customers are not compelled to declare their disability - so any accessibility options have to be provided at runtime - not some sort of setting at the bank.

Re:Scare tactics

[locofungus]

This is all true (although I think the maximum totals for coppers are smaller than 2GBP). But additionally, when using legal tender to settle a debt the creditor is not required to give change (It makes sense really - the creditor is obliged to accept the cash but may be unable to give change).

So if you're in a restaurant that says "we do not accept 50GBP notes - make sure your bill is greater than 50GBP - and you pay the exact amount - if you want to use a 50GBP note anyway.

Tim.

Re:Scare tactics

[locofungus]

Basically these things work by using a generated number by a clock inside the device

I don't believe there is a clock at all. I think it's a pseudo random number generator on the card.

At least for some people in the UK, these devices arrived with a plastic strip that isolated the battery.

(I've seen reports that if you generate a few numbers and write them down you can then use them later. This would also preclude a clock)

Tim.

Re:Scare tactics

[tacocat]

Ultimately you are responsible for your own actions. You might get a lawyer to try and convince people otherwise, but you are still the one who has to bear the burden of your decisions.

This this through a little bit. If the bank is responsible for your security than before you can do on-line banking with them, they have to validate the security of your machine In order to do that they will need sufficient access to your machine to determine the following:

• Current OS installed (Windows, OSX, Linux).
• Current patch level of OS.
• Current Anti-Virus software installed, including patch level and fingerprint libraries.
• Determination of all installed user software to assess their security levels.
• Scan for Adware/Spyware.
• Access to all Security level settings, user file permissions, firewall ports.
• And you will have to disclose any network architecture in the event you have a NAT.

And after all of that, if there are any currently active and unpatched security issues with this list they will have to unilaterally deny you access to your banking until the vendor can provide you with a patch.

That means you probably won't be able to do any online banking most of the time that you have access to online banking because you have just made the bank liable for security. Something that cannot be maintained on the internet with Windows (as a minimum).

You've also just handed your bank complete access to every detail of your computer, lifestyle, and usage patterns.

No one has the technology to keep banking 100% safe under any conditions. Acting as an internet idiot I have no doubt that I can circumvent the best you can offer by simply letting my computer get powned by every URL that shows up in my spam.

I hope it is a warning shot to consumers. They really need to start understanding that they are ultimately responsible for the security of their behaviour.

Re:Scare tactics

[Lonewolf666]

You got it - I forgot to mention that the computer still spends a lot of time on Windows. But it gets rebooted into Linux for online banking.
Your trojan scenario is in theory feasible but it seems far-fetched to me, as the trojan would have to do the following things:
-detect that Linux is installed on the system.
-bring its own ext3 file system driver, as I have none installed on Windows.
-manipulate the Linux installation to intercept my connection to the bank (simply reading data from the ext3 partition won't do the job, as I type the PIN/TAN in when needed and not before). The most feasible way might be to exchange the Firefox executable, so it goes to a phishing side that completes the man-in-the-middle attack by grabbing my inputs and sending a different order to the real banking site.

I think that won't happen before phishers get really desperate about increased Windows security.

Re:Scare tactics

[Lonewolf666]

Correct.

Forgot to mention that.

Re:Scare tactics

[CastrTroy]

I guess in that case, if you put your swap partition on a separate partition (who wants the applications to be encyrpted) and used bitlocker on that, then you would have an encrypted swap. Although for some reason I could see MS's swap implementation going completely around the regular file system APIs, just for a mediocre increase in speed, which would mean that it might not work with bit locker. Most likely not true, but based on the way other MS stuff is designed, I wouldn't doubt if it was the case.

Re:Scare tactics

[Zaiff+Urgulbunger]

But given that in some circumstances ActiveX can be insecure (being used on a dodgey domain), and given that the majority of users a clueless**, and given that if ActiveX is ever allowed to run on a dodge domain, the computer is compromised, *why* would a bank even dream of encouraging its use?

And thus, I'm inclined to agree with the parent that a new bank should be found! Egg appear to making bad decisions.

**I'm not dissing them btw! I'm just stating that the majority of users do not understand computer security issues.

Re:Scare tactics

As far as I know, the encryption devices are free.
I received mine for free from Barclays Bank as part of their initial trial roll out because I am a regular online banker, eventually they will be mandatory for online banking with Barclays, and free to all customers as I understand it.

Re:Scare tactics

[Lincolnshire+Poacher]

> However I do understand how breaks work.

Apparently not well enough to know how to spell BRAKES...

Re:Scare tactics

[ozmanjusri]

What's even better is that this method is completely OS and browser independent.

My bank has an authentication method which is OS and browser independent too.

When I, or anyone else, attempts a transfer which exceeds my set limit, the bank sends me a text message (SMS) with a one-time PIN. I then have three minutes to input the PIN to approve the transfer.

If the PIN isn't correct, or if it's not typed in within the time limit, I get another SMS telling me of the attempt.

Re:Scare tactics

[dschuetz]

Very few banks in the UK have IE-only websites Well, duh. Then it'd be an Irish bank.

Re:Scare tactics

[X0563511]

Well the merchant does not have their key - neither does the network. The key is injected into a tamper-sensitive system in the pinpad prior to being shipped. If the battery dies, case is opened, or a strong enough shock (physical) is applied, the pinpad will "dump" it's keys. One of our recent pinpads actually has the pin-containing circuit board encased in a roughly .75"x1"x2" block of solid silicon - try getting through that while not opening the case enough to trigger the keydump...

Re:Scare tactics

The problem is that most anti-virus products are less than worthless.

I don't run AV software or anti-spyware software and yet have never been infected at home or at work. I'm fortunate enough to know Windows inside out to be able to manually check for the existence of malware including stuff capable of hiding via various stealth methods. I don't need AV because I know Windows inside out, I know what should be on the process list, I know where to look for something that may be hiding itself from the processes list. Without sounding big headed there simply isn't an AV program that can tell as well as I can if my system is infected or do as good a job as I can to remove if infected. AV software has not only failed to find malware that I've found manually in the past but has let it run happily alongside it whilst doing what AV software does best - slows your system down by a noticeable degree.

I agree with the general sentiment of your post that people can't be looked after but on the same note it's part of a bigger problem in this case, much common software is insecure and I'm not convinced it's an old grannies fault for example if she visits an innocent seeming website linked from Google and spyware installs itself on her system.

Banks telling people they need AV software when it's worthless is merely an excuse for them to continue offering a service that is knowingly insecure, whether the insecurity is on the client side or their side is irrelevant if they can't provide the service they shouldn't - the whole core purpose of banks is to ensure security of money, that's why we have money in their hands that they're making billions off as some of the biggest companies in the world. We don't mind them making money off our money if they do their job of looking after it's safety but when they can't do that then what's the point? they have to take losses through internet fraud into account if they want to provide the service and work out ways of protecting against such problems like using the one-time pads that some have started sending out.

I'm very pro personal responsibility but when you're effectively paying a company to do something for you as you are with banks by letting them profit off your funds then they should be providing you that service not turning round and telling you it's your problem when it goes missing. If anything what banks should be doing is making better use of the one-time pad type devices and perhaps offering free training/AV software if that's an issue to them.

I find it a bit rich for those of us in the IT community to tell them it's their problem for not having a clue when the fact is it's us, the IT community that's largely responsible for allowing insecure software into existence in the first place. If the IT community was more responsible in ensuring software was secure and insecure software like Windows that isn't secure never made it out to a single computer then perhaps end-users wouldn't be such rich pickings to fraudsters in the first place.

Re:Scare tactics

[jweatherley]

I've got one of those. I need it to create or modify payments from my bank's (NatWest) site. I wasn't charged for it, and I would be surprised if they cost as much as $70. I would have thought that 70c would be closer.

Re:Scare tactics

[The_reformant]

It would be hopelessly outdated as soon as it was conceived, remember it was only a few years ago that a sophisticated scam consisted of writing an email purporting to be a distressed Nigerian gentleman trying to claim their rightful inheritance.

Re:Scare tactics

[Giant+Electronic+Bra]

So, by your argument, if a thief breaks into my house and steals my credit card, I should be on the hook for all the losses, since my house is not as secure as a bank vault. I think that's unreasonable.

Well, one could make that argument, and for many years that was the case. However the way it works now is actually pretty reasonable. The MERCHANT that accepted the charge is on the hook for it. If they want to be off the hook, then they better sufficiently verify charges at the point of sale. In practice the banks work it a bit different, they lower your fees if you use less risky verification methods.

We already have a term for activities like that. Its called "fraud" (and "money laundering" in some cases). If the bank catches you doing that then they already have the right to press charges and send you to jail.

Sure, but that presupposes they can catch you. Removing the temptation and the mechanism is overall a better alternative.

Re:Scare tactics

[dapprman]

Lets get some facts down about this.

1. Most if not all of the UK banks post on their websites about the importance of PC security, give advice, and some even provide tools, or at least links to security tools.

2. Most, if not all of teh UK banks do send out warnings about hijack emails.

3. The UK banks who are now pushing the the chip'n'pin code generator are giving these away for free. I have my Natwest sitting next to my home PC and it cost me nothing.

This is not the US and I do not know how the US banks deal with their customers. I would not comment about the US system as I live in the UK, but over here the banks have been trying to educate their account holders, but can only go so far. If a punter still insists on responding to a 'security' farming email then it's their fault, fair and square. You can't blame the banks for the stupidity of the individual, especially as they do work hard to counter fraud in other areas (such as when a colleague of mine had his cash card cloned).

Re:Scare tactics

[jandersen]

Let's see, just exactly WHO should be responsible for the banks' security? The banks, of course. However, as far as I understand it, this is not about bank security, but about the responsibility customers have to keep their PIN safe. I think it is entirely fair that you not only don't tell your PIN to somebody else, but that you make sure that you don't use it in an unsafe setting, such as on a PC that hasn't been secured properly. What we need is some sort of guideline saying that if I have followed those steps, then my PC is legally secure, and I have done everything required.

Re:Scare tactics

[plover]

You're thinking only about the encryption key injected into the PIN pad. I'm talking about the decryption appliance used at the backend. DUKPT is a protocol based on symmetric encryption. That means the decrypting end uses the same master key that was injected into the PIN pads.

If the merchant owns the decrypting appliance, then it's possible that the merchant owns the key.

Re:Scare tactics

[enbody]

Excellent example. The name for that is a 'man-in-the-middle' attack (see http://en.wikipedia.org/wiki/Man_in_the_middle).
The reason is that the bank is authenticating you, but you are not authenticating the bank. It is the difference between the similar sounding 'two-factor authentication' and 'two-way authentication'.

Re:Scare tactics

[Nursie]

That takes a hell of a lot more than a paperclip to achieve. In fact neither the slashdot page nor TFA even mention a paerclip. What they mention is a real time link from a hacked card reader, via a laptop, to another store where someone uses a fake card (presumably with some sort of receiver inside.

MUCH more than a paperclip.

Re:Scare tactics

1, 3, and 4 are the same in the US. So is the second half of 2. About the only difference is that just about everyone still accepts cheques/checks in the US.

Re:Scare tactics

[electrictroy]

I wonder who the UK banks would blame if the customer (like me) does not use online banking.

Hmmm.

Re:Scare tactics

[X0563511]

The merchant doesn't own the decrypting appliance. The backend merchant sends data to the frontend, who formats and forwards to the backend processor, who then talks to the banks. If the backend has been compromized, your PIN is the least of your worries.

At least that's how it's done in my world.

Re:Scare tactics

[mdwh2]

I have to use one already. I wasn't informed about needing one until I needed to make a payment - as a result, I had to wait a week before I received the device in the post, and I could make the payment. Thankfully it was nothing urgent.

Also it's annoying if you're somewhere where you do have an Internet connection, but you don't have this device (not to mention when the battery runs out, or you lose it or it breaks).

People joke about cheques being outdated - this device may be a good thing for security purposes, but with these sorts of issues, I'm never going to be able to switch to purely being online, so I still have to keep the chequebook around.

Re:Scare tactics

[mgblst]

Compare it to the Oz System.

1. Same, you get paid into your bank account.
2. Never used cheques in oz, only started to use them in the UK. Nobody used them.
3. ATMs are all owned by banks, and they are free for the first few transactions. Some banks charge if you go inside.
4. You never get any interest, and banks charge you money to keep your money. So just keeping in $5000 will cost you about $5 a month. No interest.

Re:Scare tactics

[quanticle]

Sure, but that presupposes they can catch you. Removing the temptation and the mechanism is overall a better alternative.

You could apply the same argument to a whole host of other things. Lets take shoplifting for example - you could say that stores should keep all their inventory behind the counter. After all, there are laws against shoplifting, but enforcement of those laws presupposes that the store can catch you. Removing the temptation is a better overall alternative.

Re:Scare tactics

[Hal_Porter]

SE Banken in Sweden gives you a digipass, a little gizmo that looks like a keychain pocket calculator. To use it you enter a pin and two 4 digit numbers generated by the bank website. The digipass then hashes them to generate a four digit number which you enter to login and then to authorise each transaction.

Which may not be perfect, but I think it's pretty good. You need your pin and the hardtoken to do anything. https should take care of man in the middle attacks, but the hardtoken should help - the numbers they send you could be a hash of the time, amount, destination bank code and some random numbers. If someone proxies the bank and tries to make you sign for a different transaction, it should be possible for the bank to detect this.

I think these cost a few dollars, much less than the RSA token. And obvously a keylogger on the PC doesn't let the attacker to anything useful, so long as the signing keys in the device are not compromised.

Re:Scare tactics

[pfleming]

I know that you were trying to be funny, but around here there are a lot of people without a bank account of any kind. It's due to a mistrust of the government (Native Americans) a lack of financial education (bouncing checks and then being unable to open a new account due to credit history checks by the new bank) and the fact that cash is handy.

Re:Scare tactics

[ILongForDarkness]

I think it is a logical thing for banks to put in writing. They can't be held responsible for some else's poor management of there system. Are the common home users network security experts? Probably not. But if they don't want to take the risk on (which is unusually large because of their said lack of knowledge/implementation in that area) then they can live with going to an ATM or a teller.

It isn't like you have to do internet banking. If you can't do it safely don't do it. Same thing with someone that can't drive properly, or can't afford proper maintenance on their vehicle, if you can't do it right you shouldn't do it.

Re:Scare tactics

[torkus]

Amen.

Devil's advocate: Multi-billion or even multi-trillion dollar losses due to the colapsing mortgate/debt industry will wreck havoc on not only the US ecconomy but also the global ecconomy. From a 'greater good' perspective it makes some sense.

However, I still think bailing out these idiots is a worse solution. It solves the short term problem (sort of) but doesn't even slightly address the insane risks taken not only by individual consumers but also large investment firms.

In retrospect, i wish i had taken out the $500k 1.85% ARM and bought a dream house instead of the $250k 30yr fixed that i could *afford* for a decent-but-not-great house. I'd be right on the soup line with everyone else...and still living in a much nicer house. Stupid me for taking responsibility for my actions.

Re:Scare tactics

[Hal_Porter]

If someone proxies the bank and tries to make you sign for a different transaction, it should be possible for the bank to detect this. Hmm, shit. No it's not. You could enter "transfer 10 pounds to account 1" into the proxy. And the proxy could enter "transfer 1000000 into account 666". Then the bank would generate the two numbers, and send them to the proxy would send them to you to be signed. You enter your pin and the two numbers into the digipass and it would generate a signature. You'd enter it into the proxy and it would say "ok, transferred 10 pounds to account 1" and the proxy would enter it into the bank which would say "ok, transferred 1000000 into 666".

The problem is that the amount and destination account should be visible to the user, not both hashed into a pair of opaque 4 digit numbers.

On the other hand if you transfer money outside Sweden you get a letter to confirm it. So I guess you could always call them and tell them if you'd been proxied. And https does help too, since on a decent browser you'd get a warning that the site certificate didn't match SE banken.

And it still seems better than the systems used by other banks, e.g. a hardtoken where you just press a button to get a login password. And that in turn is better than just entering a username and passeword into a https page.

It stil makes me wonder why they don't make it foolproof though, it seems like it's so close.

Re:Scare tactics

[Sandbags]

Don't make payments from public PCs... simple ansewer to this issue.

One-time pins work well enough to authenticate the transaction, and when using a card processor at a cash register, you can reasonably be sure the transaction goes through unmolested (if that device was hacked, someone would find out quick as the store would not be getting any money, and the device has a compete history of all transactions not only on it, but in the database of the central processing agency/bank, and it's easy for them to put all the money back where it should be.)

On a PC, we need one more step. Not only a one-time pin that is good only for that transaction, but a "return pin" that is displayed on the screen after the transaction processes. This should be a pin you can set personally, in advance when you create your online access account, that's a 4-8 digit code that you recognise for any transactions on their site. If you're spoofed, you'll know instantly, and can contact your bank. They'll of course need to validate your selected return pin with that company, but at least you can stop payment on the transaction and list the account the payment was redirected to as a phishing account and if possible have it either closed or blacklisted. Better yet, since almost all of us have cellphones, why not have the return pin and transaction details sent to you via txt (or mobile e-mail if text cost you money). that way, if you're the kind of person that uses the same pin everywhere, if your home PC was compromised they still couldn't fool you.

On the question of "should people be held responsible for the security of their own PCs" I say YES! Though it's not really possible to securely ID whether a PC on the net has proper security software installed or not (any program that would check for such would be a quick target of hackers and regardless of how secure the application was, it's output can allways be spoofed). What an ISP CAN do however is identify key activity like DDoS activity, heavy SPAM traffic, etc. Most bots are easy to spot, and even if they can't ID which one of your PCs is infected, they know your external ID, and from their databases they'll know your router MAC address, and can remotely shut it down and call you to let you know why.

If your machine infects another because it did not have up-to-date antivirus, or didn't have any at all, then you should be liable. If you loose money because you're insecure, your bank should offer services to assist getting your money back, (because no matter how secure you are, there are allways zero day exploits to worry about and phishing redirection) but they really can't prevent it from getting stolen.... (they can secure their own systems from direct attack, but a transaction is a transaction, and if it came from your PC with your password and pin, then as far as they can tell, it's real).

Public access PCs also need to be secure. If you do a banking transaction at a public PC that's been hacked, the owner of that PC should be responsible, unless it was a zero day attack and he was up to code on his security. There shuold of course be signs posted to let people know using a credit card on a public PC is just stupid, and the proprietor won't be responsible for monetary or other losses, but at the same time, if they're not at least attempting to secure their PCs, then maybe DHEC should have powers to audit and fine them. Securing public access to internet may really be no different then regulating food service quality. (of course DHEC doesn't have the staff, but DHEC could subcontract the ISP or some local IT firm to do the work until they staff up internally, or some specific branch is created for this job).

Don't argue with me that it's your personal right to use or not use security software on your personal PC. If you connect that personal PC to a public network, you need to abide by the rules of that public network. If you want to be naked in your house all day that's fine, but in public? no shirt, no shoes, no service! What you

Re:Scare tactics

[smallfries]

Interesting. The bank is Natwest so they fall under UK law. I'll have to see if they have a less annoying alternative buried away somewhere.

Re:Scare tactics

[gurps_npc]

Chip and Pin has been SHOWN to be insecure. The information is passed unencrypted. You can buy chip reader on ebay, modify it in less than 5 minutes to record the chip and pin information, then set it loose in the wild. Come by and 'service' it when the owner is not looking and you get all the info

For less than 100 pounds, you can start harvesting all the chip-pin info you want.

The industry could solve this issue easily, simply by encrypting the data within the reader. This would force criminals to pay to build/buy some kind of 'theft chip', instead of simply having to learn how to reprogram them.

Re:Scare tactics

In Belgium Dexia and KBC use them. Same machine, you can even use one of KBC with Dexia and vica versa. You get the first one for free. Dexia asks 20euro for a replacement.

Re:Scare tactics

[merchant_x]

If people refuse to be paid in currency it would make me doubt the value of said currency. Perhaps in Finland the Euro is not considered money at all but just colored paper. I would not trust a business that does not accept cash.

Re:Scare tactics

[Pyroja]

"fuel injected turbo with dual over head cams"

I'm going to come off as a nit-picking asshole here, but whatever...

Turbos are neither fuel-injected nor equipped with dual-overhead cams.

Motors are.

For the record, yes, I do understand the inner workings of a fuel-injected, turbocharged motor with dual-overhead cams. And I think everyone else should, too.

Why? The more you know, the less wool the advertisers can pull over your eyes.

Re:Scare tactics

[plover]

Just to scare the bejeebers out of you, whether or not the decryption appliance is owned by the merchant or the backend processor is merchant-dependent. In my world, the appliance is owned by the processor, but for some extremely stupid reasons that is not an absolute requirement.

Re:Scare tactics

[X0563511]

Well, hopefully the impending PCI DSS will compel merchants and processors to wise up. Hopefully. For now, I think I'll have my nightmares...

Re:Scare tactics

[plover]

I've been pondering ways to close the loophole of MITM attacks, but as you point out the random 4-digit nonce is opaque.

I've been thinking that the handheld could have two "modes", "Internet transfer" or "Physical Store". In "Physical Store" mode, you pass your authorization directly to the merchant, but you leave with the merchandise. It would be hard for the merchant to steal from you when you've already got the merchandise.

In "Internet transfer" mode, though, you want to assure the bank that this money should only go to Amazon. What if the handheld had a small digital camera, and the user had to take a picture of the corporate logo to which he wanted to send money? Even if you were on a phake amaz0n.com phishing site, as long as the logo looked like Amazon's, only Amazon could redeem the authorization for the money. The bank would refuse to authorize payments to unknown logos.

Re:Scare tactics

[Wavebreak]

Not entirely true, you can pay via your bank's online payment service in virtually every Finnish online store, and most of them accept wire transfers as well. Also, COD is always a 3e extra (which is what the postal service charges for it), not what I'd call "quite high".

Re:Scare tactics

[plover]

Go back and read more of this thread. The new two-factor authentication uses a separate customer-owned, bank-supplied, handheld device to generate a one-time use PIN. The encryption happens in hardware not owned by the merchant. Doesn't matter if the merchant's pad is good or corrupt -- the PIN is only good for one transaction, and if they're letting you out the door with the merchandise, you've got your end of the bargain.

Re:Scare tactics

[Lost+Engineer]

Windows swap generally goes on the same partition as the OS. Normal windows installations are entirely on one partition. BitLocker requires you to create two. I haven't implemented this, but it sounds to me like the swapfile would be on the encrypted partition.

Re:Scare tactics

[Weedlekin]

"I for one think this is madness. Why? because there's no way to be 100% secure on the internet."

There's no way to be 100% secure anywhere, but people are still expected to take reasonable precautions against predictable mishaps. What the banks are doing here isn't really any different from insurance companies expecting people not to leave their homes unlocked with everything valuable in a sack on the doorstep marked "swag" because the police say no security systems will stop a determined and skilled thief, so they've decided that trying to prevent theft is completely pointless.

People who use online banking will now be told that they're expected to install some basic protection against online nasties, so those didn't know about such things previously will now be better informed. As with physical locks, alarms, etc., they won't stop those with determination and skill, but this doesn't mean that systems with them aren't better protected than those without, especially when they're being used by people who don't know very much about computers.

Re:Scare tactics

Do you understand the inner workings of a fuel injected turbo with dual over head cams - or do you have a general idea and just use it assuming safety from the manufacturer?

Actually, yes, I do have a solid grasp of the inner workings of internal combustion engines. I was taking them apart and pointing out what went where (I didn't have the strength to tighten the fasteners properly on my own) when I was six.

Do you understand the inner workings/procedures and protocols that it takes to fly a commercial airliner from LA to NY - or do you have a general idea and just use the transports assuming those that be aren't putting your life at risk for a mere buck?

I'm a little rusty on some of the protocol, but the physical procedures are dead-easy to learn. Flying a jumbo jet isn't nearly as hard as flying an F-16, and I know quite a lot about those, what with two parents who both work on the FCS for fighters.

Do you understand biology and the inner workings of your OWN BODY - or do you assume and rely on doctors and those in the medical profession to NOT kill you mistakenly for the treatment of a zit?

I excelled at microbiology and biochemistry in school. I can describe on a molecular level how much of our metabolic cycle works. The same for neurochemistry. Now, I'm no surgeon, but that's mostly because I don't have the hands for it. Plus, information security was always far more fascinating to me.

Any more questions?

Damned if you do...

[UbuntuDupe]

So, to summarize:

bankers: "You better use a secure OS, or you'll be liable for any fraudulent transactions with your account."
customers: "Okay. What if we use Firefox on Linux?"
bankers: "That'll work."
customers: "Hey, we can't access your site using Firefox!"
bankers: [British equivalent of "hah! Sucks to be you!"]

Re:Damned if you do...

[jonbryce]

Are there any bank sites that don't work with Firefox on Linux these days? Even Natwest works now, and they are the most fussy about what browsers they allow.

Re:Damned if you do...

[MyForest]

Not really, I can confirm that Firefox on Linux works fine for Alliance and Leicester, Barclays and Halifax.

The banks are quite helpful in suggesting security products that will run on Linux too.

Re:Damned if you do...

[turgid]

Add Royal Bank of Scotland to your list. They don't allow seamonkey, though.

Re:Damned if you do...

[Lobster+Quadrille]

Mine doesn't work, but it is complete shite.

I have to fire up opera and pretend to be MSIE to make anything happen.

I'm planning on changing banks soon. The final straw was when I showed them their publicly-accessible logs and a file upload vuln and they insisted that no such hole existed.

Re:Damned if you do...

[drsquare]

Now? I've been banking online with Natwest using Firefox on Linux for years. In fact I haven't found a single banking site which has turned me down.

Re:Damned if you do...

[fluffman86]

You don't know how true this is. When I visit the Online Banking section of my local bank's website, using Firefox 2 or 3 in Ubuntu, I get an error saying that I need to upgrade to an up-to-date browser and Operating System, such as IE 6, Firefox 1.5, or Netscape in Windows, OR Safari 1.x, Netscape, or IE 5 on Mac. This is retarded, and I've contacted them several times about it. ...

Oh, wow! I just went to their website and it works now! Looks like they took out the stupid javascript that was checking the OS. Well, I guess the above isn't true anymore, but I'm sure some banks still check...

Re:Damned if you do...

[rHBa]

My internet banking (socgen) DOES work on Firefox (I'm using XP but I assume it would work on Linux as well) but they also have a horrible javascript app to capture your password, each time it is loaded the numbers are positioned randomly in an attempt (I assume) to prevent key loggers (you can only click the numbers with your mouse).

Sounds like a good idea unless you're blind/partially sighted or have javascript disabled for security reasons. I've never bothered looking into it very deeply but I can't imagine it would be very hard to work around the javascript and once that is out of the way you have a password which is a 6 digit number!!!

Re:Damned if you do...

[Teun]

Ah! Soon we'll see a User Agent Switcher for IE, that way it can pretend to be a safe browser on a robust platform :)

Anyhow, for years I've been using Firefox or Konqueror on Linux for banking at the RABO bank, security is done with the Random Reader of vasco.com

Re:Damned if you do...

[Jurily]

What if I use OpenBSD, but don't have antivirus and antispyware?

Re:Damned if you do...

[DigitAl56K]

Even better:

customers: "I was using Linux, and someone drained my account!"
bankers: "Did you have anti-virus and anti-spyware running?"
customers: "On Linux?? No!"
bankers: "Then it's your own fault!"

Re:Damned if you do...

[spedrosa]

Are there any bank sites that don't work with Firefox on Linux these days? Even Natwest works now, and they are the most fussy about what browsers they allow. Hell yeah.

At least in Brazil, ABM AMRO (more specifically, Real) *requires* Windows.

To add insult to the injury, they require the installation of a "protection module". Which is a very intrusive and spyware-like dll called "G-Buster Browser Defense". It's installation under Windows Vista only works if you run the browser as *administrator* and add the banking site to the list of trusted sites.

You can call them to deactivate the "security measures" for your account and enable it to work on other operating systems, but then I suspect they are not going to be held accountable for unathorized accesses.

Re:Damned if you do...

[calebt3]

Install clamav and you are good to go.

Re:Damned if you do...

[keeboo]

I've had bad experiences with Real (AMRO) back a couple of years ago, it was a sitty bank in many ways.

If that information is useful for you (or someone else): I know, by personal experience, that the websites of both HSBC and Banco do Brasil work without problems under Linux + Firefox.

Re:Damned if you do...

Well, just because of this, I just went to Egg. They insist on people using Internet Exploder on Windblows. Oh, how I wish the W3C had teeth enough to kick non-standards-compliant sites like Egg off the internet (for not complying with W3C standards). But alas, they don't.

Re:Damned if you do...

British equivalent: "Oh, dear! Hard luck there, old chap!"

Re:Damned if you do...

[You+ain't+seen+me!]

bankers: [British equivalent of "hah! Sucks to be you!"] That translates as 'tough shit'

Re:Damned if you do...

[Inda]

Natwest doesn't work with FF3 b3 to b5...

I phoned Natwest when they started using a redirect on thier site. - Please tell me if this is supposed to happen. - No, said the lady with an Indian accent. - Pass me onto someone in the security team, I said - It's normal, said the security guy.

Who was I supposed to believe?

On the plus side, Natwest now provide a device, that looks like a calculator, where you have to insert your card, key-in your PIN, and key-in an authorisation number that the website provides, then return the new authorisation number the device provides before it will let you carry out online transactions. The device only works with my card. The card and device are not kept together in my house. I think this is a good thing.

Re:Damned if you do...

[mgblst]

Really? Send me your details I and I will test it on my end...

Re:Damned if you do...

[PetriBORG]

Yes, CITIBANK.

I hate them. Grr.

This just in

[Mordok-DestroyerOfWo]

The police department will not be held responsible for the robbery of any house not armed with bulletproof glass, anti-personal mines, and a moat.

Re:This just in

Since when is the police department held responsible for burglaries?

Re:This just in

the police is not responsible if someone robs your house, you moron.
perhaps you should look up the word "responsible" in the dictionary

Holy crap.

Look, if an account compromise occurs as a result of a compromise on the bank's side (web server, backend network, etc), it's the bank's fault. If the compromise occurs because the user's login gets sent to some dude in Russia by a keysniffer running on the user's already compromised workstation, it's MOST DEFINITELY the user's fault. This isn't complicated. Wow.

this is scary

[suck_burners_rice]

Suppose one is running a hardened version of OpenBSD on some PA-RISC machine. Suppose then that this person's bank account is drained out and that said draining has NOTHING to do with their computer or OS. Suppose it's drained by someone who prints checks with a random bank account number on them and it just so happens to be this OpenBSD user's bank account. Again, the theft has NOTHING to do with their computer, OS, computing practices, or hair color. What will happen? Will the bank file a discovery motion to check if the person has anti-virus software on their hardened machine? What? No anti-virus software? Never mind that there is no virus to check for. This is scary as it gives the bank a way to weasel out of its own responsibilities.

Re:this is scary

Or supposed he's running XP+SP2 with tons of malware. Now which case do you think is more likely?

You need a license for operating a fucking motor vehicle. You definitely should need one to operate a networked computer.

Re:this is scary

[kesuki]

Well, if they'd just switch to using a hardened Linux configuration possibly on more standard hardware, rather than some obscure RISC chip (even apple stopped using RISC)

well, they could download anti-virus software, straight from a repository. anti-spyware? switch to firefox http://nixory.sourceforge.net/

Linux comes with firewall support built-in but you can get GUI tools to make firewall management more usable. The question is since Linux (even a hardened system) should have an intrusion detection system, are they going to nail you if you use Linux and don't run an IDS?

Re:this is scary

[jez9999]

Suppose it's drained by someone who prints checks with a random bank account number on them and it just so happens to be this OpenBSD user's bank account.

Just in case anyone was taking this serviously, this scenario just aint gonna happen.

To login to my bank account online, I need the online account's ID, my PIN, and my secret word. In addition, I also now need my physical debit card, a card reader, and to enter my PIN in the reader and get back a code to enter for login. Not much chance of someone randomly getting in by guessing all those.

Re:this is scary

[The+MAZZTer]

He's not formulating a likely scenario, just a possible one. Yours would make it even easier for the bank, but even with his what he's saying is the bank can still claim it's the user's fault by using the letter of the law (no anti-virus software) rather than the spirit (secure computer). I wonder if the clamav package (on debian systems) would count as an "anti-virus software" even though, AFAIK, it only watches for POP3 activity and scans e-mails...

Re:this is scary

[Lobster+Quadrille]

On mine, it just takes a username and password, which get submitted in plaintext if you have javascript disabled.

Not all banks are created equal.

Re:this is scary

[Junta]

Sigh, RISC as a platform strategy is not dead. PA-RISC, yes, it was abandoned in favor of Itanium, but Power, SPARC, MIPS,and ARM continue. Apple is not *the* benchmark of relevant technology, despite what they would like everyone to believe. And if you do need Apple to use something to consider it relevant, look at Apple's ARM platform iPods and iPhone.

And, more to the point, there is no relevance to security in talking about PA-RISC, or any instruction set at all. Once you hop OS, you no longer readily run Windows-compiled code anyway. Malware is just as likely to call upon a scripting interpreter as being compiled (in this day and age, most take advantage of scripting features of browsers or some other facility anyway.

In terms of Linux v. OpenBSD on the antivirus front, it doesn't really matter. The same antivirus my company forces upon my linux workstation is avalable for OpenBSD as well:
http://www.f-prot.com/news/gen_news/080225_bsdrelease.html

I'm a linux user for various reasons, but claiming that a linux platform is better than OpenBSD for complying with both the spirit and letter of this policy is silly. Both platforms have the tools that fit the description, and OpenBSD is far less likely from a philosophical perspective to give up security for convenience. Many Linux distros will embrace a new strategy before the security implications are thoroughly worked out for the sake of a feature, while OpenBSD will wait. Though not popular anymore, I remember when a handful of linux distributions had only the 'root' login, because they thought it was easy and didn't want to burden users with privilege escalation, as an example.

In any event, if the nature of the breach is obviously in no way related to compromising a computer system and rather is a more traditional way, than I doubt the bank would try to make a claim of relevance.

Re:this is scary

[42forty-two42]

Fortunately, checks don't ask for any of those.

Re:this is scary

[jez9999]

What bank is this? I'd like to know to avoid it. :-)

Re:this is scary

[value_added]

To login to my bank account online, I need the online account's ID, my PIN, and my secret word. In addition, I also now need my physical debit card, a card reader, and to enter my PIN in the reader and get back a code to enter for login. Not much chance of someone randomly getting in by guessing all those.

Not if they're the same as the combination on your luggage.

Sorry. Couldn't resist.

Re:this is scary

[Lobster+Quadrille]

I'd tell you, but then everybody'd take my moneys.

odds are, it won't be a problem though. They're pretty small.

Banks hate responsibility

[plopez]

In the US, a friend of mine (a lawyer) basically described the state of banking laws as "the bank is always right, if the bank is wrong the bank is still right". This was based on 1930's banking laws when the banks went to the gov't looking for a bail out and convinced enough people to severly restrict their liability.

If there is a lawyer in the house can they confirm this?

Not sure what the state of the laws are elsewhere, but knowing what a bunch of whining snivelers the banking industry is it's probably the same. The bank is always right and the depositors and the taxpayer pick up the bill.

Re:Banks hate responsibility

[Nolde+Huruska]

In the US, a friend of mine (a lawyer) basically described the state of banking laws as "the bank is always right, if the bank is wrong the bank is still right". This was based on 1930's banking laws when the banks went to the gov't looking for a bail out and convinced enough people to severly restrict their liability. The policy was actually started by Hugh McCulloch who was U.S. Treasury Secretary, serving under three presidents starting with Abraham Lincoln. Before he was Treasury Secretary he was the first Comptroller of the Currency in that position he declared his famous dictum "In case of a dispute, favor the bank." He became revered by bankers and after his death they commemorated him by putting him on the Series 1902 $20 National Bank Note. His policy has remained pretty much in force ever since.

Re:Banks hate responsibility

[DogDude]

That's part of the reason why anybody with half a brain uses a credit union.

Re:Banks hate responsibility

[Anne+Thwacks]

That's part of the reason why anybody with half a brain uses a credit union.

We had building societies, but the government allowed the banks to buy them, because they were being nice to customers, and that was something the banks could not tolerate.

Re:Banks hate responsibility

[plopez]

thanks for the info.

Same here in Poland

[hubert.lepicki]

I just seen on news the same news about our Polish banks. And to be honest, I can't see any way security can be made when used compromised operating systems on client's accounts. Even USB tokens are not enough when someone else than you controls your PC.

ummm ... it's not the consumers property

[Kristoph]

Should end users be ultimately responsible for the state of their systems?

The Microsoft Windows OS is not the property of the consumer using it. It is the property of Microsoft used under a license from Microsoft. If the usage of the OS complies with the license then surely any inadvertent behavior on the part of the OS is the responsibility of the owner (Microsoft) and not the license holder (the end user).

]{

Re:ummm ... it's not the consumers property

I like this - and oh so true - good point!!

In any other industry, manufacture's are held accountable for the weaknesses, failures or defects of their products - why not software?

Re:ummm ... it's not the consumers property

[McDutchie]

The Microsoft Windows OS is not the property of the consumer using it. It is the property of Microsoft used under a license from Microsoft. If the usage of the OS complies with the license then surely any inadvertent behavior on the part of the OS is the responsibility of the owner (Microsoft) and not the license holder (the end user).

What would that mean for Free and Open Source software, which is just as well the property of its respective authors and used under license?

Re:ummm ... it's not the consumers property

[John+Hasler]

> The Microsoft Windows OS is not the property of the consumer using it. It is the property
> of Microsoft used under a license from Microsoft.

The copyright is owned by Microsoft. The consumer owns the copy.

> If the usage of the OS complies with the license then surely any inadvertent behavior on
> the part of the OS is the responsibility of the owner (Microsoft) and not the license
> holder (the end user).

That is between the vendor and copyright owner (Microsoft) and the owner of the copy (the "end user"). If Microsoft swindled you, sue them . The bank is not involved.

Re:ummm ... it's not the consumers property

[value_added]

If the usage of the OS complies with the license then surely any inadvertent behavior on the part of the OS is the responsibility of the owner (Microsoft) and not the license holder (the end user).

Well, fair enough. But put yourself in the position of anyone having even a possible say in the state of things. Consider the legislator, government agency head, law enforcement official, local politician, business owner, etc. What standard would any of them use to determine where responsibility or accountability lies, where corrective action is necessary, and what form it would take?

I'd submit the most reasonable standard is the same as what most people experience using Windows. Put another way, what comes out of Microsoft is assumed to be or otherwise adopted as the de facto universal standard of security. Viruses? Sure, people get them. Malware? Sure, people get those, too. Phishing? Who hasn't encountered a dodgy email. Security? We're working hard on it.

It's that kind of thinking and narrow perspective that underlies why few can, if so inclined, step back from the situation and ask "Isn't there a better approach?" And it's the same kind of reasoning that demands you run the latest version of Internet Explorer with updated antivirus software, even if you run OpenBSD.

Am I blaming Microsoft for the current state of affairs, or indicting them for breeding a generation of lusers? Sure. As they say, if the shoe fits. The problem is that aside from satisfying my own smugness, it jsn't very productive. And even if everyone were to agree that the responsibility rests entirely with Microsoft and go along with your licensing argument, everyone would be just as forgiving and continue on doing what they were doing.

To use an analogy, it's like a screwed up country where the populace was convinced into electing a leader that went on to make a mess of things. With everyone culpable, the only thing to do, regrettably, is to wait until the winds change, and hope the minority voices can be heard.

Re:ummm ... it's not the consumers property

Interesting? that is Damn insightful!. Now 'their' laws are coming around to bite 'them.'

*****

note to modders, 'they' and its forms are not exclusively referring to Microsoft, but to the corporate mentality that pervades the 'successful'.

Re:ummm ... it's not the consumers property

[gmuslera]

Ok, lets make an analogy. I rent a car. I use it to go to a movie. And because i was sick and dizzy (biological virus) or drunk (er... chemical virus? trojan?) i killed someone in the theater front.

Now, who must be liable here? The car real owner (the rental company)? The movie theater owner? or myself?

Of course, if i rent a car that is unsafe (no brakes, random turns of the wheel, complete drink bar attached at the side of the driver) maybe some responsibility goes to the car provider. But still, some government agency must attach a label saying "unsafe at any speed" and ban the use of those cars everywhere. But while that dont happens, you are the ultimate culprit, legally speaking.

Re:ummm ... it's not the consumers property

[kevingolding2001]

If the usage of the OS complies with the license then surely any inadvertent behavior on the part of the OS is the responsibility of the owner (Microsoft) and not the license holder (the end user). From the banks perspective the difference is trivial. It just means that when your account gets cleaned out, instead of not re-imbursing you, the bank will just not re-imburse Microsoft.

Re:ummm ... it's not the consumers property

[xZgf6xHx2uhoAj9D]

Generally speaking, free software is not used under licence. For example, you do not have to accept the terms of the GPL to use GPL'd software. This is what Richard Stallman calls "freedom 0": the freedom to use a piece of software without accepting the licence it's released under.

Re:ummm ... it's not the consumers property

any inadvertent behavior on the part of the OS is the responsibility of the owner (Microsoft) and not the license holder (the end user).

Except that the licence the end user agrees to in order to be able to use the software specifically says that Microsoft are not responsible for the behaviour of their software.

Re:ummm ... it's not the consumers property

[Kristoph]

The copyright is owned by Microsoft. The consumer owns the copy.

No. The consumer owns the media possibly, but certainly they do not own 'the copy'. Microsoft products are never sold, they are only licensed, the end user therefore has a license to use their copy of the software but that is not the same thing as saying they own the copy. The consumer owns nothing.

]{

As long as the banks offer the service...

As long as the bank offers an online banking system which relies on inherently insecure systems, the bank should be responsible, especially considering that they could phase out risky systems and only offer a smart card based system with class-3 readers where the customer can see the transaction on secure hardware.

My two cents

[Antony-Kyre]

1. How do they know whether or not one's computer had an AV, anti-spyware, and firewall software installed at the time it was supposedly compromised? (Privacy issue.)

2. Bank customers do have some responsibility in security. Analogy: A homeowner has no locks, leaves door unlocked all day long, then tries getting his or her insurance company to pay out when he or she is ripped off.

3. AV, anti-spyware, and firewall. All three must be done? I think most people are familiar with the AV and firewalls, but how many know about anti-spyware software? (I believe Lavasoft's AdAware is one program.) What they should do is say that the person must make a reasonable attempt at securing their computer. (This could include having a separate computer used solely for banking, and nothing else.)

4. A thought just crossed my mind. Will they deny a claim if someone just happens to have an unsecured computer, even if the computer never was used for banking?

Re:My two cents

[jonbryce]

Windows Defender (formerly Giant Antispyware) is pretty popular, as it is from Microsoft, and it is free.

Most of the AV programs these days check for spyware as well.

Re:My two cents

[Dhalka226]

Analogy: A homeowner has no locks, leaves door unlocked all day long, then tries getting his or her insurance company to pay out when he or she is ripped off.

I'm not so sure she shouldn't still be paid out for that. It's clearly a stupid thing to do, but the damage to a person's life that can occur from a robbery seems like too much a punishment for it.

Nonetheless, how far do you want to take this? If I was just running to the store, didn't lock the door and got robbed, should they not have to pay out? What if I was in a rush one day and forgot to lock the door? If my kids go out and don't lock the door, does that make me screwed as well?

If the issue generically is that we're not doing what we can reasonably do to reduce our likelihood of being the victim of theft, then where's the line? Do I need video cameras? Do I have to get a security system? Would just sticking a sign in the lawn that says "Protected By SomeMadeUpSecurityCompany" do the trick, since the biggest benefit of a security system is the deterrent?

Shift all the questions over to a car for extra fun.

I just don't know. If I buy theft insurance and get robbed, they should pay. It would take pretty extreme negligence before I'd be willing to say they shouldn't, and I'm not sure not locking the doors even reaches that point.

What they should do is say that the person must make a reasonable attempt at securing their computer.

They did. But to avoid legal problems in the future, they're telling you what they consider a reasonable attempt is: AV, Anti-Spyware, firewall. I still think it's pretty stupid though.

Re:My two cents

[Antony-Kyre]

Sorry, my mistake. I think I meant to say, "has no locks, and leaves door open all day long", or something like that. The key thing is, "no locks".

The banks really need to make sure their customers know what they require of them.

Bullcrap. Don't need that stuff.

[mboverload]

I'm pretty freaking tired of all this "advice" that you need this protection for Windows machines.

Why should I have a firewall? I have a NAT router (hardware firewall).
Why should I have antispyware? I know what I'm downloading.
Why should I have antivirus?
- I don't download cracks. When I DO need to use a crack I upload it to virustotal and then run it in a virtual machine.
- I run IE7 and Firefox. Although neither are perfectly secure I don't make it a habit to go to Russian warez sites.

Dear god, SOMEONE explain to me why any reasonable user should need this resource-hogging crap?

Yes and no

[IBBoard]

Should end users be ultimately responsible for the state of their systems?

Yes and no, really. The bank should have safeguards to protect against fraud (e.g. my bank has halted a purchase and phoned me because it was a reasonable sized computer purchase that I didn't normally make) but at the same time then if the user has been phished/keylogged because they haven't been paying attention and taking the correct precautions then why should the banks shell out?

It's a bit like expecting you car insurance to cover an accident when you've had dodgy brakes and a windscreen covered in crap - you could have avoided it if you had cleaned up and made sure it was safe, and there's nothing the insurers can do to do it for you.

It's about time

[jlarocco]

I'm glad someone's finally doing this. People can't keep using the internet and keep being ignorant of computer/internet technology at the same time. Wise up or GTFO. You can't have your cake and eat it too.

That being said, insecure OS or not, if the user will download and install any random program, they're going to "get hacked" no matter the OS they're running.

This is bull.

[Jane+Q.+Public]

Someone who obtains a bank account number via spyware is ethically (and should be legally) no different than someone who obtains a credit card number by picking someone's pocket.

People can be be so negligent that they are practically asking for their wallet to be stolen... in which case they should share some of the responsibility for the theft. But the criminal is still guilty of a crime.

Banks can also be negligent, by not keeping tabs on account activity, or not taking several other measures that can reduce theft and fraud. If they do not do those things, then they should share some responsibility, too.

I see nothing new here, unless the banks are trying to weasel out of their share.

Re:This is bull.

[Anne+Thwacks]

Someone who obtains a bank account number via spyware is ethically (and should be legally) no different than someone who obtains a credit card number by picking someone's pocket.

next you will be suggesting that the US gvernment should arrest the people doing the phishing, or the companies selling stuff through spam.

This will never happen - they are far to busy figthing the war on drugs and the war on terror to actually olve real life problems.

Spam could be stopped overnight if the US owned credit card companies (ie all credit card companies) were threatened with the same sanctions for processing payments for spam-promoted products that thwere threatened for internet gambling.

The "follow the money" approach ahs been proven to work, and lack of applying it is wholely due to lack of interest by the UK and US governments.

But...

[blind+biker]

even if a user's computer has a keylogger installed, the bad guys would only be able to steal the access code, not the password of the user - because the passwords are from a list and are unique for each session. At least that's how they do it in all banks in Finland. Once the user is logged on, to start a new (parallel) session, a new password would be requited, even if the bad guys would manage to steal the one-time password just when the user is logged on.

Re:But...

[jiadran]

What if the phishing site is some kind of proxy server (man in the middle attack)? Once access to the bank account is granted, the phishing site shows some fake bank data and starts transactions in the background. If the online banking account requires you to provide some one-time key for each payment, then the fake proxy could just wait for you to actually perform a payment, and then just change the destination account number in the request.

Re:But...

[blind+biker]

Yes, that could be done, but that's not really the same as having the user's computer compromised. Oh, well, maybe this is just semantics. I really dunno. I am in my 10th year of online banking, and my assessment is that it's hard to be a victim of any sort of attack, if one just keeps hi/her eyes open, at least a little bit.

Re:But...

[weicco]

You live in Finland and haven't heard Sampo bank's issues? What I've heard they don't use those changing confirmation codes anymore. And there was/is (I don't know if they have fixed those) a tons of security holes on their new website where a clever XSS attack leads to MITM situation.

I started digging their website a bit after I read from papers that there is XSS hole a size of elephant on their site. I composed (in my mind only, I'm not a criminal) couple of attacks where I could empty victim's bank account and user wouldn't even know it because browser is technically roaming in Sampo's domain and using their certificate.

Sampo's stance was that this is totally user's own fault, user is using "old computer" and Sampo was willing to give 100 euros to customers who would buy a new one. This is total BS of course. The age of the computer doesn't affect this, nor does the name of the Operating System or the browser.

Back to the article. In Sampo's case I would say that the bank is the one to blame. Their website is a disaster waiting to happen. In any other case like Osuuspankki, Optia etc. it is different. Bank can't and aren't allowed to watch people's computers so it is up to user to make sure that their PCs aren't compromised.

Re:But...

[blind+biker]

Does the Sampo net bank use a list of passwords? Or do you always use the same password? It's not clear from your post.

Re:But...

[weicco]

Well I'm not sure since luckily I don't have account at Sampo but what I've heard is that they use only user ID and password. No password lists or anything.

But thanks to the XSS vulnerability it doesn't really matter :)

Re:But...

[Zoxed]

> because the passwords are from a list and are unique for each session. At least that's how they do it in all banks in Finland.

At least at my UK bank you login using the bank code, account number and a PIN number: all typed in at the keyboard and can be logged and re-used later. (In Germany you use either password lists sent to your home address by snail mail, or external card readers/keypads via HBCI.)

Re:But...

[blind+biker]

At least at my UK bank you login using the bank code, account number and a PIN number: all typed in at the keyboard and can be logged and re-used later. How does that make you feel? I'd be nervous.

Re:But...

[Zoxed]

> How does that make you feel? I'd be nervous.

If I used Windows I *would* feel nervous, but as I use Linux do not (I am not aware of any keylogger malware for Linux !!).

I would prefer a more secure system, but as I live in Germany it *is* very convenient to use online banking for my UK account !!

What if it is Linux or OSX

with no need for antivirus, I have read in the past some banks consider that an insecure OS because they don't understand it (much less support it on their Windows driven sites).

Think about it for a second ...

[daveime]

No "sensible" person leaves their cheque book open, with 25 presigned cheques ... because the bank could hardly be held responsible if someone stole that chequebook and emptied your account.

No "sensible" person leaves their car wide open, with the engine running ... because no insurer would ever pay out for the theft of that car.

So why is it okay to leave your PC "wide open" and the banks have to pick up the tab ?

Your security is your own personal responsibility ... this culture of "what the hell, someone else can be the scapegoat" make us all too lax ...

I like this proposal ... maybe if you knew that YOU were going to have to pick up the tab for your losses, you'd take a bit more care about what you do online.

Okay, so the banks are two faced for talking about secure browsing, and then only accepting Internet Explorer ... but MSIE, Firefox, any other solution is really academic ... ANY solution is only as secure as the PC you are running on, and a keylogger logs keystrokes from ANY application ... so be 110% sure you DON'T have a keylogger before using online services ... and don't expect someone else to pick up the tab when you screw up. Because let's face it, it ISN'T the bank picking up the tab anyway, it's the rest of us.

Re:Think about it for a second ...

[Sperbels]

No "sensible" person leaves their car wide open, with the engine running ... because no insurer would ever pay out for the theft of that car
This analogy is flawed. Just as car manufacturers gives is the ability to lock our cars, Microsoft does provide some ability to lock your computer. But that security is easily undermined. Should car owners be responsible for someone slim-jiming their car to break in? That is a better analogy. Or what if they just break a window and you didn't buy the *optional* security system. And what if you did, but the thief knew how to disable the security system. How many countermeasures is the automotive layman expected to take?

electronic banking is not my style

[FudRucker]

if i had a substantial sum of money to keep in to a checking or savings account (many thousands or millions) i would insist that no electronic transfers of cash are allowed on my accounts from any PC no matter what OS & web browser is used or i go elsewhere, this sounds like a good way for corrupt bank managers to wipe people's accounts clean = "hmm, you must have been using an insecure OS" (makes a good excuse)...

Measuring heath

Measuring security by the number of AV programs is like rating the health of a person by the number of medicines they take and the number of band-aids on them. The more medication and the more patches over the cuts and sores must mean that they are healthier ?

This is the banks' position now...

[idiotnot]

I seriously doubt many juries, comprised of fellow bank customers, would agree after someone files a lawsuit against those banks who say it's the customer's fault.

MS avertising ...

[Alain+Williams]

does this mean that their TV ads, etc, are going to have to stop showing people doing on line banking ?

NO!

Banks shouldn't be allowed to push security issues onto their customers. If a major portion of home PC's have too many security issues for secure banking to be implemented than it's unethical for a bank to implement the feature: Regardless of demand!

The banks should take the fall on this one.

Re:Bullcrap. Don't need that stuff.

[jonbryce]

Someone finds a security hole in IE7 or Firefox. At the same time, they find a security hole in IIS or Apache. Using both these holes, they attack some well known and trusted site, maybe a newspaper, and use it to do drive-by attacks on visitors.

Yes, this does happen.

A finance company gave me antivirus software.

One of the financial companies that I have an account with (Scottrade) gives all their customers a free license to McAfee antivirus.

I know that several ISPs do the same thing for their customers.

This seems to be a *far better* preemptive solution to the problem - trying to make sure the customer never gets infected in the first place.

Humourous call

[sjwest]

client rings up the bank, 'i have been stolen from',
bank rep asks: whats your operating system:
client says: mac osx
rep says: im sorry sir that means your liable for the losses
client asks: why
rep says: you dont run norton antivirus, only norton antivirus protected computers are safe. Thank you for banking with us, can i help you with anything else?

Re:Humourous call

[Anne+Thwacks]

Mod parent +5, accurate. This is not funny, this is a typical UK bank.

Yes I did try to use Barclays on-line banking using Firefox on OpenBSD on Sparc64 hardware, and No it doesnt work.

In fact Opera on FreeBSD doesnt either, and Opera on WinXP is barely useable.

In short, Barclays have clearly never tested with anything other than IE on XP.

But they have issued me with a PINSentry device which looks like a fisher-price toy, but is allegedly secure.

Re:Humourous call

no it's cool i'm running norton in parallels ftw

Re:Humourous call

[dakameleon]

http://www.symantec.com/norton/products/overview.jsp?pcid=vp&pvid=nav10mac

Re:Humourous call

[grm_wnr]

That's not funny, since this is exactly how it will go. Only on /. people would automatically think "Linux" when they hear "secure OS". In fact, it wouldn't be surprised at all if they just brush off Linux as an "insecure" system jut to save the them the hassle of thinking about a niche for a second.

Re:Humourous call

[locofungus]

In short, Barclays have clearly never tested with anything other than IE on XP.

I'm surprised you say that. I've used konqueror with JavaScript turned off for years with Barclays.

I'm pretty sure I've even used Lynx.

Admittedly that was some time ago before pinsentry. I've got very little money with them now but I'll give Lynx a try again sometime soon.

If anything I'd say Barclays is the safest online bank to use. I've got accounts with NatWest One, Nationwide, Alliance and Leicester and none of those work at all with javascript turned off.

Tim.

Oversimplification is the politician's lip service

[wickerprints]

The blame lies with everyone involved: (1) The banks who do not strive to achieve adequate protection against fraud or identity theft because there is a point at which the amount of effort needed to further reduce the risk exceeds the financial benefit to do so. (2) Law enforcement and government, whose primary concern is punishment, employ an antiquated bureaucracy that is ill-suited to correct issues arising from identity theft, and are too reliant on numbers, databases, and records when taking action. (3) The systems designers, who share little if any accountability for their product, because users of such systems (be it government, corporations, or the people) only seem to care when those systems break. (4) The criminals--you know, the ones who perpetrate the actual theft or fraud. (5) The consumer, who, through ignorance and blind faith, does not educate and protect themselves.

But you know what? As long as everyone keeps pointing fingers at everyone else, the real loser here is (5). That's why (1-4) do what they do--at the end of the day, none of them lose through their action or inaction, because (5) does not hold them accountable. And that, my friends, is the only crime they are ultimately guilty of.

Soitenly! Nyuk Nyuk Nyuk

[EdIII]

I wholeheartedly agree. It's only logical. Banks are responsible for the security within their own networks and their web servers which are on the edges. That is Just Fine.

I (The Bank Customer) am 100% responsible for the security of my own systems that I use to access the banking website. How could I POSSIBLY expect the bank to be liable for rootkits, malware, spyware, etc. I can't. That's just not reasonable.

The only thing I can think of that might go either way would be DNS type hacks since that would depend on how it was done and just exactly what point in the communication it was affecting.

Now with that being said.........

It would be the BANKS'S RESPONSIBILITY to TELL the consumer THE BAD NEWS. I can't wait. That's a "shitstorm" waiting to happen.

So basically, the vast majority of PC's are hopelessly insecure. We could talk forever about Microsoft this and Microsoft that, and "what about Safari?", blah blah blah blah. The situation is still the same. The Bank Customer's computer is just not secure enough in most cases and it could only be a matter of time before you are the "lucky" one and get nailed. Kind of like a lottery, except you get bent over.

In the end the only thing that will happen is that people will stop using online banking. I know plenty of people now that outright refuse to use it for the perceived security risks NOW. If the bank's outright say that they will not be responsible for the security on your computer, that will only make the situation worse (for them).

I'm pretty good at securing my systems, but even I know it would only take one determined person to get me. If the bank will not at least insure my losses, I can't take the risk of online banking. That simple.

If this really does go down, that will be a pretty big statement about PC security in general. Regardless of who is responsible, if a bank says it will no longer trust the end user's security that is a bad omen for the rest of e-commerce. What about the credit card companies? How will they react to the bank's position?

Re:Soitenly! Nyuk Nyuk Nyuk

[jimicus]

If this really does go down, that will be a pretty big statement about PC security in general. Regardless of who is responsible, if a bank says it will no longer trust the end user's security that is a bad omen for the rest of e-commerce. What about the credit card companies? How will they react to the bank's position? A thought that occurs.

TPM (yes, Trusted Computing) allows a client system to cryptographically prove that its installed software includes a particular product. Presumably this could be harnessed so the bank won't let you log on unless your computer attests to the fact that you're running software the bank deems acceptable.

Solves the security problem nicely. Whether the cure is worse than the disease is something I leave open to debate.

Re:Soitenly! Nyuk Nyuk Nyuk

[uffe_nordholm]

I don't completely agree with you. I do all my banking online, and have done so for the past eight years, and along the way I have run into some problems.

The biggest problem yet is that some banks (let's face it: all) create systems that assume you are using Windows and Internet Explorer. Their official stance is that anything else is 'unsupported'. I choose to use Linux and Firefox, and sometimes run into problems because of this choice, however much more secure it might be...

If I as the customer am to be held completely responsible for the security of my own computer (as far as banking is concerned) I do think the banks should give me the possibility of avoiding Windows and IE altogether. My choice of browser and operating system should be of no concern to the bank, as long as at least the browser lives up to W3C standards.

On the other hand, the banks could do a lot to help the situation: modify Knoppix and provide each customer with a personalised CD from which to boot the computer. This CD would have only the minimum software on it, along with a personalised (*) encryption tool, that would allow Firefox (or some other secure browser) to talk to _only_ the banks servers. It should be no major obstacle to create this, and would remove many of the problems facing online bankers today: spyware, keyloggers, phishing...

* The personalisation does not have to go further than changing the encryption key for each individual customer.

Re:Soitenly! Nyuk Nyuk Nyuk

[EdIII]

I think you missed the sarcasm in the post. If the banks are going to drop their liability and responsibility for the consumer side of the communication then they have to be more open about just exactly what it is they support and what they do not support.

You are entirely correct about the bank giving support to Linux/Firefox and other more secure operating systems. Basically, if you are going to "talk the talk" then "walk the walk".

The problem with that is that most online banking users are not able to use a computer to the extent that you can. They barely understand how one operates, what "security" really is, and certainly not what Linux is at all.

What I see developing out of this is that the end user, even if attempting to provide security at their end, will not be able to do so. Fair or Unfair has nothing to do with it. Online Banking would grind to a halt under those conditions, OR consumers would be using it without proper security at their own risk.

Re:Bullcrap. Don't need that stuff.

[jez9999]

Fair enough, so if you don't need it, you won't be needing to make a claim to the bank for your stolen money back, presumably.

How do you define secure?

[LordOfYourPants]

This may sound facetious, but is any system really secure from keylogging?

I dual boot Ubuntu and Windows. If I type:

sudo apt-get install lokkit (as an example, not an accusation) how do I know I'm not getting a free keysniffer as an added bonus?

I run windows with a firewall, have a firewalled router with minimal ports forwarded, use ad-aware/the windows spyware program/spybot search and destroy as well as AVG. How do I know that none of these pieces of software are, in themselves, spyware/keylogging software? How do I know that my browser hasn't been attacked by some 0-day hack embedded in an ad banner despite rigorous/consistent upgrading of both of my OSes?

Are people really diligent to that point that every time they're about to do their banking, they close all active programs, update and run their suites of virus scanners and anti-spyware software, and *then* do their banking once the all-clear is given by all programs?

Honestly, I just see it as a game of probabilities. *Most likely* I don't have a key logger installed on my system, and *most likely* my banking experience is going to be a sane one, but if the shit ever hits the fan, I'm willing to bet that there are people hired to specifically poke holes in my system and say "Linux is an unapproved OS. We can't cover your banking losses."

I look forward to a better solution.

Re:How do you define secure?

[WindBourne]

sudo apt-get install lokkit (as an example, not an accusation) how do I know I'm not getting a free keysniffer as an added bonus? Unless you personally check the code yourself, AND know what to look for, then no, you do not really know (even then, you may make a mistake). But based on past history, I would trust k?ubuntu over MS.

This is crap

[Mwongozi]

My old bank closed my online banking account without warning, and without bothering to tell me they had. I called them and they said it was because "I had a virus". This, despite the fact that I run a secure operating system (with no known viruses) and have an up-to-date virus scanner. Couldn't they just suspend my account until I "fixed" the problem? No, I had to open a whole new one.

I did. At another bank.

Re:This is crap

[owlstead]

Probably somebody was using your credentials against them in some sort of brute force password attack. They use the same reasoning that I've experienced with one company, they claimed I had a virus because the mails seemed to come from my mail account. Of course, they just looked at the from: address, which had been 'spoofed', if you would even call it that (it's unprotected really). It was a well known virus at that time, so somebody will probably fill it in right below this message :)

Re:This is crap

Damn, I was going to open an account at Barclays, they have the best ISA interest at the moment.

End users will not know which way to turn

OTOH, you have sites that REQUIRE Windows. Yet, OTH, you have sites like this that will require a secure OS. That means by all legitimate definition of secured, that Windows is out. This will drive them batter.

It's not just customers

[theurge14]

There's many, many companies out there running important financial machines on a certain large software vendor's OS without proper group policies or even passwords. Still! Whole networks with unpatched NT machines with blank superuser passwords. These companies will be struggling to become Sarbanes-Oxley compliant for years to come.

Mac and Linux users beware?

[fyleow]

Some financial institutes in the US have this policy as well. Vanguard will reimburse any losses made through fraudulent activity if you've taken some precautions they've outlined which includes the need to "Make certain that any computer you use to access Vanguard.com has up-to-date security and anti-spyware, antivirus, and firewall software."

https://personal.vanguard.com/us/help/SecurityOnlineFraudPledgeContent.jsp

So what happens if you're a Mac or Linux user and those security programs don't exist for your platform or they are unneeded? Can they just deny your claim and you lose all your assets for using an OS with a higher track record of security?

I guess that's better than TreasuryDirect's policy on the issue which states that they're not responsible if someone cleans out your account as long as it was done with your password.

Regulations Governing New TreasuryDirect System 31 CFR Part 363 363.21 Who is liable if someone else accesses my New Treasury Direct account using my password? You are solely responsible for the confidentiality and use of your password. We will treat any transactions conducted using your password as having been authorized by you. We are not liable for any loss, liability, cost or expense that you may incur as a result of transactions made using your password.

Re:Mac and Linux users beware?

[WK2]

I'm surprised nobody else pointed this out. It's the first thing that jumped at me. They judge security based on how many blacklist products you need to install.

I also think it is worth pointing out the article headline says "UK Banking Law Blames Customers For Insecure OS" and then the summary implies that the UK Banking Law requires that customers use an insecure OS.

Thanks for the warning about TreasuryDirect (even if it is a bit off topic). I was planning on putting some money into U.S. bonds, but not any more.

Re:Mac and Linux users beware?

[bhtooefr]

It didn't say that the software had to be installed. Toss the (Win32) executable for some anti-spyware app in a directory, download a fresh executable daily.

apt-get install clamav for the antivirus.

And, apt-get install iptables for the firewall.

Re:Mac and Linux users beware?

Funny how the creation of the New Treasury Direct system subject to those no-responsiblity regulations came about in concert with abolition of the paper form method for directly (i.e. without paying a commission to a broker/bank) buying Treasury securities.

Re:Mac and Linux users beware?

[zotz]

That's some fine thinking.

I was just thinking of writing a do nothing program and calling it an anti-spyware program for linux and claiming that it catches all known linux spyware... before I read your post...

Just for fun mind you.

all the best,

drew

Why should on-line banking be any different...

[Copley]

... from physical cheque books and credit cards. If I leave my wallet in a place where cards, etc. might be stolen, I'm responsible for any loses that occur - shouldn't the same be true if I leave my electronic 'wallet' open? I really think that, within limits, people need to be held responsible for their actions/inactions - too much 'I never realised/knew/expected/thought that might happen' in the world. The banks should have similar guidelines to those used for stolen physical banking paraphernalia - if you suspect your PC might have been compromised, report it to the bank within a given time fame and they thereafter accept responsibility for subsequent losses.

Re:Why should on-line banking be any different...

[grumbel]

The problem is that when you blame the user you give those that actually could fix the issue a free pass to continue to produce insecure junk.

The user is by far the weakest party in this and has the least chance to actually do something about the problem.

Re:Why should on-line banking be any different...

[Copley]

The user is by far the weakest party in this and has the least chance to actually do something about the problem.

I agree with the first part of this statement, but disagree with the second. No amount of system security (short of totally locking-down the computer to the point that the user can't run/alter a thing) will ever be able to prevent an uninformed user clicking on e-mail attachments, visiting stupid, malware-ridden websites or clicking 'Allow' to every dialogue that they are presented with.

Educating people that computers are not appliances like fridges is the only way that things will ever begin to be better. I think that the banks imposing a you-screw-up-and-you-lose policy is a pretty good way to make users face-up to the consequences of their actions - ie. to educate them.

Re:Why should on-line banking be any different...

[grumbel]

No amount of system security (short of totally locking-down the computer to the point that the user can't run/alter a thing) will ever be able to prevent an uninformed user clicking on e-mail attachments, Yes, no amount of security will ever be able to control the user, but then, thats not the point of software security, the point is simply to not let a users actions cause unexpected harm. There isn't a single good reason why clicking an attachment should be dangerous, in fact there is a lot of reason for the user to believe that it would be harmless and with proper software it would be.

or clicking 'Allow' to every dialogue that they are presented with. The problem here is that users have been trained to click dialogs away, because 99% of them really are stupid, annoying and pointless. No surprise that the user will just continue clicking on that 1% of dialogs that actually matters, they simply have been trained for exactly that.

Educating people that computers are not appliances like fridges is the only way that things will ever begin to be better. No, thats the way to make things stay exactly the same. Software as we have it today is totally broken and while it is of good to educate users about that, it should be made clear that this isn't an unfixable problem. Software isn't the way it is because it has to, but because nobody ever spend the time to fix it. This whole educating the user about how he should have a firewall and a virus scanner and stuff is all nice and good, it however is also misleadings, since none of that would be needed in a good OS.

I think that the banks imposing a you-screw-up-and-you-lose policy is a pretty good way to make users face-up to the consequences of their actions - ie. to educate them. It is also a good way to stop the banks from fixing the problem, after all they don't have to pay the bill if things go wrong. If users computer can't be trusted then they simply shouldn't be used to handle money transfers, because the system as a whole isn't secure that way. Solutions with dedicated hardware (HBCI, etc.) exist, they just need to be supported by the banks.

unsupported browsers

[matpod]

are these the same banks that don't support anything but IE, i have to fake it with my browser of choice (opera) with my bank (abbey) or read and digest their unsupported browser legalise.... so, we can't use basic standards, but we are responsible for when we're shoehorned, nice.

Comment removed

[account_deleted]

Comment removed based on user account deletion

smelling class-action

A few questions...

If banks with probably one of the industries with the most extensive resources to provide security can not protect their own online applications, how are customers, with much less resources supposed to do it?

If Microsoft - with all their resources, including their engineers, who wrote the software - can not guarantee their operating system - how are customers (brick layers, hair dressers, teachers, bank clerks) supposed to protect it?

If Microsoft keeps hiding the source code of their software - how is anybody else supposed to be able to guarantee the security of their software?

Laws like this will put out of business e-commerce and possibly Microsoft once customers world-wide will start to sue their banks and Microsoft.

We can just return to the happy era of cash and bank branches with lots of tellers and long business hours.

Ha Ha Ha!!!

[no-body]

Every time I log onto this bank (US Bank) with my favorite Opera, I get a popup bitching about my browser - I contacted them they replied:

-----
The technical issues you are experiencing can be caused by the use of an unsupported browser or
incompatible browser settings. Please check to make sure you are using a supported browser. If you
are, please check the browser settings for your browser type by following the procedures listed below.

Operating System: Microsoft Windows 2000
                                                Microsoft Windows XP
                                                MacIntosh OS X

-----

And, they claim this on their site:

Browsers
The following browsers are compatible with U.S. Bank hosted web pages and web-based applications:

Microsoft® Internet Explorer 6.0 or higher
Firefox
Safari

Upgrade Your Browser
It's quick, easy, and free! Even if you already have the required minimum browser version, you may want to consider upgrading. Just follow one of these links...

Microsoft Internet Explorer Downloads *
Firefox Product Downloads *
Safari Downloads *

Find Your Current Software Information
To find your current software information, choose "Help" located on your top browser toolbar. Then choose the "About..." option.

Operating Systems
The following operating systems are compatible with U.S. Bank hosted web pages and web-based applications:

Microsoft® Windows 2000 or newer, XP, and Vista
Mac OS X

Re:Ha Ha Ha!!!

[bhtooefr]

F12 -> Edit site preferences -> Network -> Mask as Firefox

There, you're done.

Re:Ha Ha Ha!!!

[no-body]

I you think I did not try that - you're mistaken.

I am IE under Linux and Windoze with Opera.

And - faking it won't change the blockheads stubborness either.

Saftey

Keeping uninvested money in a bank is supposed to be *safer* than keeping it in a mattress at home. If the digital age has changed that, then perhaps it is time to go back to keeping cash in a mattress?

Either way, if most of your money is in a bank (or a mattress) then you need to educate yourself on the basics of financial management. You will never get ahead if you don't know how to invest.

Chip and Pin design failure in the pos terminals

[sjwest]

In England where cnp is 'working', what that means that fraud has mostly moved abroad once the fraudsters have your details.

Generally i think Cambridge university has the scoop which is that the chip and pin pos terminals don't encrypt data in the terminal and send it plaintext so it can easily intercepted for making new cards, as they have the pin number well before signing the data to the 'bank'.

So the thieves have been hacking the chip and pin terminals, threatening retail staff (petrol stations and clothing outlets) and then cleaning peoples accounts out.

Cnp works stopping idiots, but the thieves too have worked on cnp terminals and the game moves on. cnp terminals can be bought on ebay for hacking.

The banks and there trade body have yet to respond to the academics it has been several months but are 'aware of the flaws'

Re:Bullcrap. Don't need that stuff.

[eclectic4]

"SOMEONE explain to me why any reasonable user should need this resource-hogging crap?"

Because you seem to not realize the difference between "reasonable" and "average user". They are completely different I'm afraid... to be reasonable is one thing, to be a gullible newbie (90% of the computer using base) is another. Why do the intelligent /. readers/posters still not realize that they are not a representative of the average user? Oh wait...

SecureID and Ilk

[JimCDiver]

Banks should hand out token card that combines with a username and password/pin. You need all 3 to login. So now you need to have a physical object of the users to break in. Something people are much more familiar with protecting. Username and password authentication is a poor lock. Double especially when you let the user pick the password.

Law??

[shabble]

The 'Banking Code' is a voluntary code of conduct between banks and their customers. It has nothing to do with 'Law.'

Re:Law??

"The 'Banking Code' is a voluntary code of conduct between banks and their customers. It has nothing to do with 'Law.'"

Then customers may simply voluntarily ignore it. Especially because it's written by banks, without the participation of the other "volunteer" party, the customer.

Easy eanswer

[WindBourne]

the very fact that you are not running anti-virus/spyware on your MS box, AND are asking how you can get infected, says that you have absolutely no clue about this.

It is as the saying goes, it is not who you screwed, but who that person screwed or shot up with. This is just like HIV. When you KNOW the other party and KNOW that they are not screwing around, then you do not need a condom. But otherwise, you do. This is the same

If you connect to a site that is running an older version of a web site, they could be quietly infected. To be honest, it is actually true on cutting edge installs as well. In addition, it is easily possible for the company to decide to push an infection. perhaps a spy was hired and they were in there. The simple fact is, if you run a system that is well known for large number of openings, then you crazy to NOT these protective software. It is just the costs of using that software.

Re:Bullcrap. Don't need that stuff.

Why should I have a firewall? I have a NAT router (hardware firewall).
Because firewall not only alters you to "interesting" incoming connections, but rather to undesirable outgoing connections. Say you get a perfectly nice utility of the promotional CD, which just happens to hide a trojan. This trojan starts to log your every keystroke and sends it out the the master. Without proper firewall, how will you ever know?

Why should I have antispyware? I know what I'm downloading.
Because it's not about what you know you are downloading, but rather what you don't know gets uploaded from your computer. Befure you say you only visit safe web sites, thinks about the reality: even Ubuntu servers got hacked, Fortune 500 companies get hacked with frightning regularity. Antispyware is at least there to warn you about "interesting" things happening on your computer, sou you at least have a chance to react to an incident.

Why should I have antivirus?
Oh, I see now. You have lived under a rock for last 10 years. You will be happy to know that today you can get viruses and trojans from downloading BIOS updates, visiting your favourite news site, checking that freebies DVD added to your favourite magazine, auto-started from that nifty U3 USB key your S.O. just gave you for a birthday, together with motherboard drivers on a product support CD, ...

Overall you can generaly avoid such junk by:
a) not having your computer connected to internet
b) using something unpopular enough that probability of incident is significantly lower that it is for a mainstream OS

Banking is basically a Ponzi scam

[Colin+Smith]

As the US in particular is finding out (yet again) right now. Why on earth would you do more than the absolute minimum business with these people?

Caveat Emptor...

ATTN Banks

Unfortunately the users aren't criminally responsible and banks themselves should be a little more pro-active...

• Make sure banking sites are functional without the web's number one security liabilty (javascript).
• Publish -all SPF records to help stop phishing emails.
• Check the HTTP referer before serving web content linked by a third party page.

The Banking Code produced by the British Bankers'

The Banking Code produced by the British Bankers' Association...

Has anyone checked if it contradicts The Banking Code produced by the British Bank Customer's Association?

Wait a minute...
The British Bankers' Association as a legislative body?!

Really? Since when?
When have they been elected to do legislation applicable for British subjects?
How about the Parliament? What has happened to them?

Can someone tell me please that I am just dreaming...

Re:Bullcrap. Don't need that stuff.

[Lennie]

Or they just pay an ad-network 50 bucks and invect thousands od networks that way.

Re:Bullcrap. Don't need that stuff.

[Lennie]

Just to be clear, in that case you still need the browser-security-bug, but no server-bugs.

riiight..

[Dekker3D]

interesting system. i hope they're not using the same logic in the netherlands, or i'm screwed. the rabobank, where i've got an account, only supports internet explorer for internet banking so i wouldn't even be capable of doing so from a safe OS. i feel sorry for those poor brits..

/. article BS. Proof by counterexample.

[aristolochene]

Halifax bank will refund all money lost through online fraud.

http://www.halifax.co.uk/securityandprivacy/onlinefraudguarantee.asp

That's just one bank. IIRC most offer some sort of online fraud guarantee. It's in the retail banks' interest to have people banking online. Paying bills, arranging standing orders, ordering cheque books in branch all cost money to the banks. Better for them that people do it online, even if they take the occasional hit from refunding people whose accounts have been hit by fraudsers.

In addition, the FSA would almost certainly side with a sensible customer who was victim of fraud and complaied via the FSA about their banks actions.

Someone has to pay

[dhaen]

I like a minority of others use a secure operating system. If the banks have to pay out, then the money will come from us anyway. Far better directly charge the people who cause the loss.

Nitpick

[Joe+Jay+Bee]

The Banking Code isn't "law". It's a voluntary code of conduct which banks agree to abide by as a pretense to ensuring that the regulator doesn't pulverise them for being generally anti-consumer.

Don't overlook the obvious

[Whuffo]

Banks are responsible for the safety / security of the assets entrusted to their care. They protect those assets by erecting barriers and using authentication to insure that only the person who the asset belongs to can access it.

So just exactly who decided to put customer information / account access on the internet where security problems are widespread and well known? Those so-called professionals at the banks must have known that this would lead to problems - and did it anyway.

Pointing at insecure computers, spyware, malware, etc as being the problem is ingenious. This is simply an attempt by the bank to move some of its expenses onto its customers.

Remember - none of these internet security / fraud problems would exist if the bank hadn't put the customer accounts online. They knew this was likely to happen and now this bad idea is starting to affect their bottom line. Rather than take responsibility for their mistake, they're abusing the legal system to move the losses onto their customers.

Gotta love those banking corporations...

Re:Don't overlook the obvious

[pigwin32]

The internet is a cheap and effective channel for banks and a very convenient channel for customers to access their accounts 24/7. Compared to the losses associated with credit card fraud the losses due to internet banking fraud are generally considered fairly inconsequential (not long ago at the bank I worked in someone even managed to get a mortgage for a property that they didn't own and absconded with over $100K). For that reason it is more likely for a bank to pay up and shut up than risk drawing attention to an internet banking related incident. One of the reasons two factor authentication is not widespread is because banks consider it might put people off using the channel because of the inconvenience of carrying around some form of token.

There are also a wide variety of two factor schemes. Battleship cards are popular, cheap, and fairly easy to expoit. RSA challenge-response tokens are at the other end of the spectrum in terms of both cost and security. Even relatively secure tokens can still be open to man in the middle type attacks.

Plus the human factor is often a far greater risk. A bank cannot protect against a son/daughter/cousin/spouse "borrowing" a token after shoulder surfing the account/password.

Ultimately security is a tradeoff based on the perceived risk and this is true of security in general, not just banking over the internet. And as always we are very ready to hand over our personal responsibility to a faceless organisation in return for convenience and a sense of security and we get upset when there is any suggestion that some of the onus lies with us.

Re:Don't overlook the obvious

[brusk]

Yeah. Just like the phones. The stupid banks let us call up and perform transactions over the phone, when the phone is notoriously insecure--it's easy to wiretap, and someone be using a speakerphone in a public place, the bank has no way of telling.

Mail is also insecure, since people steal mail all the time, yet banks mail statements to their customers.

Also, having multiple branches is risky, since it requires communication between them, which could be tapped.

So every bank should have just one branch, and you should have to go there to perform any transaction. That would solve most of the security problems you're worried about.

Sudden outbreak of common sense?

[i_ate_god]

Of course users should be held accountable. They are held accountable with car maintenance, they should be held accountable with computer maintenance, since both can your life at risk in very different ways.

So then....

[TemporalBeing]

...the banks will have to support more than Windows, no? And more than simply IE, no? Otherwise, customers could sue saying that's all the bank allowed them to use...though, I'm guessing from the summary there is probably a clause to get them out of that too.

Be cynical

[gwern]

Funnily enough, this reminds me of something I once read, by Schneier:

"In Beyond Fear I wrote about ATM fraud; you can see the same mechanism at work:

'When ATM cardholders in the US complained about phantom withdrawals from their accounts, the courts generally held that the banks had to prove fraud. Hence, the banks' agenda was to improve security and keep fraud low, because they paid the costs of any fraud. In the UK, the reverse was true: The courts generally sided with the banks and assumed that any attempts to repudiate withdrawals were cardholder fraud, and the cardholder had to prove otherwise. This caused the banks to have the opposite agenda; they didn't care about improving security, because they were content to blame the problems on the customers and send them to jail for complaining. The result was that in the US, the banks improved ATM security to forestall additional losses--most of the fraud actually was not the cardholder's fault--while in the UK, the banks did nothing.'

The banks had the capability to improve security. In the US, they also had the interest. But in the UK, only the customer had the interest. It wasn't until the UK courts reversed themselves and aligned interest with capability that ATM security improved."

from http://www.schneier.com/blog/archives/2006/06/aligning_intere.html

Why should the bank pay the nth time?

[hattig]

Back in the real world, this is to stop banks reimbursing stupid people who keep on getting their computers compromised with keyloggers, or who keep on giving their log on details to phishing sites.

They'll still reimburse you the first time for something that they can trace to user incompetence. Maybe even the second time. After that they won't, sadly the only way to educate people about things is to hit them in the pocket, otherwise they're just too lazy to bother to learn how to fix things. Alternatively the bank should just turn off their online banking facility after the usual pin change (bet most users switch it back to the compromised pin!) and card change, etc.

However the terms and conditions should be amended, they're too wide ranging right now. Clarity as to how the bank will behave is what is needed.

However it must be really hard for a bank to determine if a fraudulent transaction was made from a cloned card. However for anything relating to online banking and criminals logging in with details from phishing or keylogging, then they can pinpoint the issue.

Maybe banks should move to proper two-factor authentication (Something you know, Something you have), not Twice One-factor (Two times something you know) first.

Same thing in New Zealand, but...

[meowsqueak]

it proved so unpopular that banks were effectively forced to reduce their hard-line stance:

http://www.consumer.org.nz/newsitem.asp?docid=5114&category=News&topic=Internet%20banking%20rule%20back-track

Re:Same thing in New Zealand, but...

[pigwin32]

I think it was more the stance that was at issue and not that the code of practice was actually being enforced. Kiwi banks are far more concerned that an incidence of fraud might damage their reputation and put customers off using what is a cheap and effective channel. Consequently they will tend to pay out any losses in order to keep below the media radar. Banks could quickly solve this problem by introducing secure challenge response tokens but the cost would be enormous and many users would struggle with the technology increasing the cost of support.

YES! YES, for crying out loud, you ARE responsible

[Opportunist]

Why should computers be the ONLY tool that you may use carelessly and cause damage to you or others without any possible consequences? When you handle a gun without care and shoot yourself or others, YOU go to court for it (or at least to the hospital, when you shoot yourself). When you drive carelessly and roll over someone, you're responsible. When you do your own plumbing and don't seal it well enough, and cause a flooding, you are responsible for the damage.

Now, care to tell me why it is different with computers?

I can very well understand the position of the bank. Why should they be responsible for your loss when you caused it yourself? They did everything necessary to ensure their side of the connection is secure. They even took care to use a secure connection between you and them. Still, they should be also responsible when you are unable or unwilling to care for the security of your own box? Tell me why, please.

So, now mod me troll, flamebait or whatever you want. I got plenty of karma to burn. IMO, it's a matter of common sense that you are responsible for the damage a tool in your control does to others. If you're unable to control the tool, don't use it.

Re:Bullcrap. Don't need that stuff.

Your comment about "reasonable user" tells you all you need to know. Why do you think the majority of users are "reasonable" or even merely competent? AV and anti-spyware protect stupid users from themselves.

Fsck the Bankers

[Detritus]

Aren't these the same bastards who had a police constable arrested and convicted of attempting to obtain money by deception after he inquired about unauthorized withdrawals from his account?

http://catless.ncl.ac.uk/risks/18.25.html#subj5

Why fix your own systems when you can blame the customer?

Re:Bullcrap. Don't need that stuff.

[st0rmshad0w]

Considering you don't know the difference between a NAT router and a true hardware firewall, I think maybe you should listen to the advice.

Spyware and viruses/trojans are often a payload of network aware worms which don't need you to do anything but make your machine available to the Internet or any other unsecured network to allow them to infect you if your system has an exploitable vulnerability.

You don't really need the resource hogging crap (like Norton 360 etc) if you have a REAL UTP firewall device, but you go on and keep rocking that Linksys like its the great firewall of China and see how far that gets you.

That said, I will say if you are _very_ careful you can minimize your exposure potential, but if the means are available, why not take the measures?

They could never hold it against the end user.

[hilather]

Because by the time most Anti virus scanners are updated with new definitions, the damage is usually already done. How long do you think it takes from the time first seeing a worm to having a definition that can detect it? There are always going to be a window of users that will be vulnerable. And lets be honest, the first thing any decent virus is going to do is nix the anti virus running on the system. Good luck detecting it after that, most users are too stupid to even notice it has stopped running or better yet its still running, just not updating anymore. A day later your bank account becomes drained and your anti virus is out of date, and at this point the bank says it is your fault? It wasn't your fault a single step of the way.

insecure OS ..

[rs232]

What 'insecure' OS would that be. A real solution would be to use one of thiose bootable CDs.

http://www.ubuntu.com/

It is your fault for running an insecure OS?

[Orion+Blastar]

Not the fault of the company that wrote the insecure OS? Not the fault of the hacker/cracker who broke into your system and stole your identity? Not the fault of the bank for having an insecure way to verify an identity? Not the fault of the UK Police for not catching the person or people who stole your identity?

In the USA we call such a thing as double jeopardy when someone becomes a victim of something twice. Like being charged with the same crime after being found not guilty or innocent of it the first time. We wrote our laws to cover that as England did it to people a lot before we rebelled. Now I see the UK is still doing it to people.

Re:It is your fault for running an insecure OS?

[forsetti]

It is your fault for running an insecure OS? Yes - you have the option of choosing a more secure OS, or purchasing components to better secure your current OS.

Not understanding the capabilities of your OS is not an excuse. If you buy a Ferrari, and it does not do well off-road, whose fault is it? If Ferrari claimed it was off-road capable, then *you* should go after them. If they made no such claim, then *you* are at fault for assuming it's off-road capabilities. Either way, *your* course of action is in *your* hands.

Re:It is your fault for running an insecure OS?

[Orion+Blastar]

"Yes - you have the option of choosing a more secure OS, or purchasing components to better secure your current OS."

So basically if I need software that only an insecure OS can run, I'm just shit out of luck. Even if I run a secure OS like Linux or Mac OSX I still need a virtual machine to run the insecure OS within so I can run the software that Linux and Mac OSX cannot run. If WINE cannot run it because it needs BITS or some other service that WINE doesn't support I have to go the virtual machine route.

That means if I need a Windows only PLC programmer tool, or a custom application for my business that only exists for Windows, and no Linux or Mac OSX alternative exists I am still forced to use an insecure OS to run the software I need to run my business or program. But because I am forced to either run an insecure OS or go out of business, if I choose to stay in business and run the insecure OS if I get hacked I'm at fault? Even if I bought a hardware router, a software firewall and other security programs and hardware options, to protect myself I'm still at fault.

Of course if I had a few million in VC I could hire some programmers to write custom versions for Mac OSX or Linux to do what I want, to fit my needs, but being poor and trying to run my own business doesn't give me those resources.

Of course my real only hope is that ReactOS is finished and has better security than Windows, so it can run legacy Windows programs and also be secure at the same time.

Most people don't run Windows because they want to, they run Windows because nothing else can run the software they need for their business or work. Mostly because there isn't a Linux or Mac OSX alternative to the Windows based software they use. In that case a car analogy doesn't work because it is not the hardware that is the problem but the software. The difference between a PC running Windows, Mac OSX, or Linux doesn't really differ that much by hardware, the real difference is the software used. Even Macs use the same processor, RAM, video, hard drive, and expansion bus as most PCs running Windows do. Technically most modern PCs should be able to be reformatted and put Linux on them or a hacked version of Mac OSX for Non-Apple systems. But the later is not quite ethical or legal to do in the case of the hacked Mac OSX install.

So until Linux and Mac OSX get better support for business applications, PLC programs, and customized programs that only exist for Windows get ported to Linux or Mac OSX, a lot of people are stuck with an insecure OS by either being the main OS or an OS in a virtual machine. Not only that but Linux and Mac OSX need to get better driver support for third party hardware to support more machines, or in the case of Apple support non-Apple hardware via OEM versions of Mac OSX.

Re:Bullcrap. Don't need that stuff.

[Britz]

Drive by hijacks of your browser also come through paid ads in Google that are displayed on popular webpages. Some use zero day exploits of either IE, Acrobat Reader, Realpayer or other popular addons.

Also when a security hole in php is found crackers sometimes use it to turn many "trusted" webpages into hijacking webpages.

only if it's your fault

[Chris+Snook]

"If you act without reasonable care, and this causes losses, you may be responsible for them."

In other words, if your authentication info gets stolen by a virus that's in the wild, and would have been blocked by up-to-date antivirus software, you're responsible for what happens as a result.

This does not appear to be intended to make the customer's software a scapegoat, just to hold people responsible for failure to take reasonable steps to protect their accounts. It is still very much in the bank's interest to improve account security measures, as most losses will not be clearly attributable to a cause that would allow this provision to be invoked.

Policy, Not Law

[John+Hasler]

> UK Banking Law...

No law involved. This is about bank policy.

> If you use an insecure OS in the UK and someone drains your bank account, the banks say
> it's your fault.

No shit. Why should the bank be responsible for your buggy software? Sue whoever sold it to you if they lied to you.

> Should end users be ultimately responsible for the state of their systems?

Who the hell else should be responsible?

Re:Bullcrap. Don't need that stuff.

[sdsucks]

Way too easy.

Just a few reasons:
- Browser exploits are extremely common, and are not even close to limited to sites of questionable content.
- You may think you know what you are downloading, but you don't. (How can you tell for sure that the copy of winzip or whatever you just downloaded is actually that? Checksums are only a mild help here)
- Do you check your email on the computer? There is a prime attack point.
- A "NAT router" barely qualifies as a "hardware firewall". If you want a simple hardware firewall for home use, take a look at the smaller sonicwall products or similar. (You want stateful packet inspection, deep packet inspection, and real time AV scanning as features. Unless your "NAT router" is really high end, it doesn't have these features)
- Even a good hardware firewall is not protecting you. Security is best done in layers. (End user practices being one important level, but hardly the end all layer)

Honestly there are so many reasons I could go on and on.

FWIW, I hate AV software, but realize it's pretty much necessity if you have any expectation of security or privacy on your computer.

Re:Bullcrap. Don't need that stuff.

> Yes, this does happen.

Which is why javascript should only ever be enabled for scripts from trusted hosts -- I find it easier to turn it off altogether.

Like the OP, I have no use for AV. I've not had a security incident in 7 years of running linux on the desktop, the same can't be said for UK banks

Re:Bullcrap. Don't need that stuff.

[phantomcircuit]

I'm pretty freaking tired of all this "advice" that you need this protection for Windows machines.

Why should I have a firewall? I have a NAT router (hardware firewall) Software firewalls can provide outbound connection control. Obviously this isn't perfect but it's the best it can be really.

Why should I have antispyware? I know what I'm downloading. most of this shit is embedded in other programs, you'd never know it was there.

Why should I have antivirus? to slow down your computer of course

I run IE7 and Firefox. Although neither are perfectly secure I don't make it a habit to go to Russian warez sites. iframe ads, iframes injected by attacking the main site, site take over, etc... don't count on sites you trust being safe.

Secure OS...

[Tuoqui]

Sure as long as the banks do the same and switch to Linux :D

fucking laughable

The only virus I've had in the last 15 years (i.e. since the one on my Atari ST) is the one I had on my work PC.

I work for a UK bank.

(Posted anonymously for pretty fucking obvious reasons).

There's a big difference in whose fault it is

[bigbigbison]

There's a big difference between saying that it isn't our fault and saying that it is your fault. They are saying it isn't their fault. Just because it isn't their fault doesn't mean they think it is yours.

Internet License

[zoltamatron]

While the idea of an internet license is interesting, I don't think it applies in the same sense as drivers licenses because your stupidity on the internet can really only harm you. I guess the only exception to that is people that get bot-netted. Yes, people should learn how to use the internet responsibly, but there is plenty of incentive to do that since if you don't, then you can incur actual losses. But it's not like you can crash your computer into someone else's.

Re:Internet License

[bluemonq]

While someone else can't crash their computer into mine, they can let their computer become part of a botnet that ends up spamming my email account. While no damage is really done to me (besides the irritation of sifting through the account), I would assume the aggregate additional bandwidth costs to the ISP is another story...

Re:Internet License

[CastrTroy]

Responsible ISPs look out for customers who are part of a botnet, and kick them off until they can fix the problem. If the ISP doesn't kick the people off who are part of a botnet, they obviously don't mind the extra cost.

Re:YES! YES, for crying out loud, you ARE responsi

[rant64]

They did everything necessary to ensure their side of the connection is secure. If the transaction does not require two-factor authentication, then I do not agree. I am an ABNAMRO customer, and as mentioned above logging on to the bank account requires knowledge of the bank account number, card number, my PIN and the posession of a device called edentifier (which is generic, I can use anybody's edentifier).

After entering my account and card details on the website (over HTTPS), the site generates a one-time challenge and the site expects the response from the edentifier to match. Every transfer requires a challenge/response authentication and amounts over EUR 500 require a second authorization with the amount factored in.

Now, even if I gave you all details of above, how were you going to loot my account without the physical card and my PIN?? In my opinion, this makes it even a little more secure than walking up to an ATM, and best of all, this has nothing to do with OS or browser security.

Btw, I'm also growing tired of the car- and/or gun-analogies everyone's trying to apply to online transactions. Driving a car and handling a gun require some sort of skill on the owner's part. If you can't handle one, don't use one. There are laws for that, too. How does that apply to logging on to your bank account and transferring money, again? You want every human in the range of 16 to 120 years old to be a counter-scam-super-artist? Especially minors, for whom the parents are financially responsible? Get real!

Right on ...

[bdemchak]

No system could be perfect, but let's give the Brits some credit for having thought about the problem from a systemic viewpoint. There's a parallel in the wireless rollout by the Orange ISP: in their router installation instructions, they instruct the user to create a WEP key and then use it. Additionally, it's against British law to use someone else's wireless system. Who knows the result?? I don't, but I can't help but think that clearer apportionment of responsibilities defines more clearly when bad behavior is occurring ... and by distributing responsibility throughout "the system", "the system" should be more secure. Obviously, it's very hard to prove any of this, but it's all sensible to me. Go Brits! ... in the long run, this is really the way it has to be.

Re:Right on ...

[Cederic]

it's against British law to use someone else's wireless system Off topic, but I think there's still potentially scope for the argument that providing an unsecured wireless network point is a de facto offer of service - purely based on the protocols in use.

Hacking a WEP key (while trivial) to access one is on the other hand clearly circumvention of a security mechanism and thus contravenes the computer misuse act.

Where the distribution of security falls down is when a bank customer uses internet banking from their work PC. I do this, and I know that my employer can (and maybe already did) install a screen/mouse/keyboard logger onto my work PC. I have no (official) control over this, it makes my PC more vulnerable than my home one, yet the bank doesn't mandate that people don't use their system from work.

(Since the online banking I use at work is for the account I hold with the bank I work for, I'd really enjoy the conversation in which they suggested my work environment may not be secure ;)

Similar arguments can be made regarding 'net cafes, libraries and any other computer not owned by the user.

The banks have to assume users will be on an insecure PC and act accordingly. Anything else is merely an attempt to bully naive customers.

Re:Right on ...

[bdemchak]

What an interesting comment, Cederic. I certainly understand and appreciate your concerns, and they're completely valid. Actually, the wireless law comment was pretty well in scope, though I didn't take much trouble to explain why. The thing about security (as your comment brings home well) is that there are no point solutions that solve "the problem". Security is implemented by measures within a fabric ... one fabric being the onion model often referenced in discussions like this ... that is, barriers within barriers within barriers. In that vein (and with other models), responsibility and barriers are justifyably distributed, and even so, there are no absolute guarantees. So, my comment on British wisdom really goes to my supposition that they're taking this kind of system view ... and also a view over the long term. Eventually, security really does need to be distributed, and those that aren't part of the solution really are part of the problem. Personally, I'm hoping that VPN technology becomes more mature soon, as I'm anxious to eliminate concerns about information in flight. Regardless, that doesn't solve any of the problems you mentioned ... there's a LOT to this subject. Now, as to ascribing motivations to the decision makers, I'm choosing an optimistic view, realizing that cynical views are possible and may even be justified. :)

Liability for the Liable

[Doc+Ruby]

Of course the bank shouldn't be responsible for losses incurred that are because the customer's own access device had a problem the customer should have known to fix. If the customer's device was vulnerable, but not actually compromised, of course the bank is liable if the bank's system caused the loss. Even if the customer's device was vulnerable and compromised, if that compromise didn't cause or contribute to the loss, of course the customer is not liable, if the loss was entirely the bank's fault.

If the loss was incurred by a bad guy exploiting an open vulnerability in the customer's access device, then the liability should be exactly the same as if the bad guy had entered the customer's home and stolen the key to their vault at the bank. If the door was locked, the customer is not liable at all, and the burglar is fully liable.

If the "door" was not locked, then the local laws, wherever the burglar did whatever they did to subvert the customer's device, will determine whether the burglar has any less liability for picking an easy target. The laws local to the customer's "unlocked door" will determine whether the customer has any more liability.

This is all a matter of obvious principles of liability for one's actions, and long-settled law governing that liability. Of course the bank is liable for losses it caused, even if just through negligently failing to protect its own systems. Now, of course the bank is going to try to weasel out of that liability, if it can: banks don't care about principles or laws, just the money they can make or lose. But if I leave my credit card at a restaurant, and then some burglar breaks into my safe deposit box while the bank security guard sleeps, of course the bank is liable, and not me, and not the waitress who was trying to charge a new TV to my account at the time - even if she's responsible for the TV charge, completely independently.

Re:Bullcrap. Don't need that stuff.

The only virus to affect me in the past 10 years was due to this very problem. Now I always have AV on the computers I use to browse the web. Haven't seen one since though.

Narrow vision

banks will not be responsible for losses on online bank accounts if consumers do not have up to date anti-virus, anti-spyware, and firewall software installed on their machines Does Win Antivirus Pro count? It's pretty good at detecting a lot of infections. Is Norton recommended? Or is it banned as a vulnerability?

Seriously, is there a list of approved software? Does the software have to be configured a specific way? What if it is configured to detect but not auto-heal?

This requirement makes no sense to me. And it seems that once again, people use the same poor logic for digital interactions that they use for physical interactions. If somebody shows up at a teller window with a court-signed order for powers-of-attorney, what are the policies and procedures for handling that person's instructions? If somebody shows up at the teller window claiming to be me, but without knowing my account numbers, etc. (or even if they do know my account numbers), what are the policies and procedures for this interaction? If they can show a photo ID that matches my name, am I liable for whatever they do?

Authentication and authorization are not computer-only concerns. Generally speaking, banks are very weak at this in all domains, physical, digital, or otherwise. I don't see how they can address these issues in any domain if they don't have a solution for face-to-face physical interactions. Start there, then work out.

Anti-virus software may be poor practice...

[argent]

"Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall."

Anti-virus software is not without risks, and unless there is a credible threat that would be alleviated by anti-virus software it should not be used. Anti-virus companies have pushed the use of anti-virus software on completely inappropriate platforms for so long that rules like this show up, without qualification, in corporate policy documents and guidelines... forcing people to reduce the reliability of their systems for no good reason.

For example, there has been more damage caused by anti-virus software for handhelds than by malware for handhelds, due to bugs in the antivirus software that caused data loss directly or via false positives. Mac OS X users are also better off without antivirus software *at this point*, and even in some Windows environments antivirus is a net loss.

This kind of guideline needs to be qualified.

Re:Anti-virus software may be poor practice...

[MulluskO]

I agree, when I install an antivirus product the very first thing I do is disable all the "real-time" protections. They're usually more trouble that they're worth. A scheduled scan is good enough.

The death of security?

[SanityInAnarchy]

Anti-spyware and antivirus is a band-aid for insecure software and user practices ("Why yes, of course I trust 66.184.142.51, why do you ask?")

I don't think you fully grasp what a "hardened OpenBSD version" means, or how unlikely it would be that they are compromised. Either you are suggesting that antivirus and antispyware are actually viable solutions (proving you know nothing about security), or you are suggesting that we should all switch to more standardized hardware platforms to prove to our bank that we're secure.

The challenge here is to come up with a way for users to be responsible for their own security (don't give out your password like an idiot; banks shouldn't be responsible for phishing either) without allowing the banks to completely screw you over (whoops, we got 0wned, but we're going to say it was your fault because you weren't using Norton Clusterfuck Edition.)

Unfortunately, I'm not sure anyone really likes the solution -- giving out private keys and making the user responsible for them. Done right, the bank would be powerless to do anything other than change the public key on file, thus any properly signed fraud would be the user's fault.

Re:The death of security?

[kesuki]

I think you forgot to read TFA in it it was claiming that 91% of computers contain 'at least one spyware program' and that the 'average number of spyware found on 1 million scanned computers was 7'

insecure software (MS windows) is more popular, than say even apple's solution, which may not be any more secure by default, but At least it is based on the unix security model, allowing the filesystem to be completely locked down, while still being useful to the end users...

I realize hardened systems are much harder to compromise. But not even a hardened system is 100% secure. How can anyone be 100% sure that there are no backdoors without reading every line of code for trojans/backdoors? (i know openbsd has an audit team) and even then how do you know there are no bugs that allow for directory traversal, or root escalation, of buffer overflows?

and how do you know that none of those flaws are possible to be exploited over the network? furthermore, is your password secure enough to stop hackers? is that rather long secure password you use, so hard for you to remember that you have to write it down? What if, because your system is so secure, the kid across the street from you decides to hack you, by using a good telescope to watch you look at your piece of paper, or record you as you type to get your login and password...

sure, you could be in a room where all the windows are darkened, but how do you know they didn't jimmy the sliding door, and install a spy cam so they could get your login/pass?

well, sure you could have home security so that they'd have to do it in 20 seconds or less, making it much less likely they would do it...

but what if the neighbor kid is friendly with you? and one time while he's there when you go to the toilet, they install a physical key logger on your system?

Sure you can check for a physical key logger every time you use your pc, but what if one time he notices your make and model of keyboard, and he decided to buy one exactly like it, and install an 'internal' key logger, and while you're in the john he swaps keyboards?

Sure you can have hidden security cams, angled so they don't see what you type, but are you really going to check every time jimmy invites himself over to your place?

the basic point is you can have the best security practices in the world, AND STILL GET compromised, because your 'openbsd' guys let a big remote vulnerability get through and they found out about it a month after black hats did.

Any windows machine that runs as administrator is a target for hackers. I should know, I got compromised, despite having what I thought was a secure firewall, and the compromise wasn't one of those easily noticeable ones, either they systems never seemed to slow down, the internet worked at full speed, and they only sent packets when the screen saver was running. Had it on my machines for at least a full year before a Different Hacker compromised my system, and basically in so many words told me I was easy to hack, because I was already compromised.

Re:The death of security?

[SanityInAnarchy]

but what if the neighbor kid is friendly with you? and one time while he's there when you go to the toilet, they install a physical key logger on your system?

Social engineering is pretty irrelevant, as it works (or fails) regardless of whatever security measures are on the machine. (Oh, and I carry my keyboard around with me, so that wouldn't work very well.)

the basic point is you can have the best security practices in the world, AND STILL GET compromised, because your 'openbsd' guys let a big remote vulnerability get through and they found out about it a month after black hats did.

Which is irrelevant to the question of whether you should run antivirus. I would suggest that by the time we're worrying about physical keyloggers, darkening our windows, tempest attacks, and so on, any antivirus or antispyware is going to do exactly nothing for your security, one way or the other.

That's the problem I have with this -- the requirement should be that the users run a reasonably secure system, or that the security of their system be audited if you're trying to blame the bank for fraud. Instead, the requirement is for some inane things like antivirus and antispyware -- which, seriously, by the time your antivirus list updates with the virus in question, you'll already be getting a patch for the vulnerability through your package manager.

How late after the black hats exploit it is irrelevant, as again, as soon as the "white hats" know about it, they'll patch the vulnerability.

The point is, antivirus and antispyware are only relevant on Windows, and then, mostly only if you know what you're doing. And if you don't know what you're doing, you can still be 0wned. It seems impossible to mandate end-user security properly -- seems like the best you can do is either start doing real two-factor authentication, or insure your users and eat any losses due to security issues, or simply stop doing Internet banking.

Re:Bullcrap. Don't need that stuff.

[SanityInAnarchy]

Why should I have a firewall? I have a NAT router (hardware firewall).

First, that's only inbound. Whether or not you need outbound is a different discussion.

Second, what's behind that router? What happens when a friend brings over a laptop?

Why should I have antispyware? I know what I'm downloading.

For the few times you want to be sure of something, or examine it. No reason you need to leave it resident all the time, scanning everything, but it is useful to be able to scan what you just downloaded.

I think you've got that point, though:

- I don't download cracks. When I DO need to use a crack I upload it to virustotal and then run it in a virtual machine.

How secure is your virtual machine? They've had vulnerabilities before.

More relevantly, since you have no firewall (just a NAT router), it's entirely possible one of your virtual machines is part of a botnet. It's not going to get your bank info, maybe, but it's still going to spam the rest of us. Please block outbound port 25, at least.

- I run IE7 and Firefox. Although neither are perfectly secure I don't make it a habit to go to Russian warez sites.

You're going to run into some site, somewhere, which is going to try to exploit you. I hope you're at least keeping those patched.

Dear god, SOMEONE explain to me why any reasonable user should need this resource-hogging crap?

Sadly, it mostly wasn't written for reasonable users. It was written for morons who shouldn't be allowed to have local admin, ever.

That said, it's possible to find free alternatives which aren't going to waste your resources -- at least not to a point you'd notice, if your box is capable of running virtual machines.

Where is that list stored?

[SanityInAnarchy]

If a new password is issued over the wire to whoever's logged in, that won't help much.

There's also the matter of session hijacking -- they don't need to be in your session very long to cause damage. I imagine the sessions would be just a bit more liberal, if they're making you go to the trouble of checking a list.

Re:Where is that list stored?

[blind+biker]

Over the wire? That would be crazy. Nobody does that - here, at least. I am really curious what bank would do so - any examples you know?

Session hijacking is something I thought about, but it seems pretty easy to protect against.

Re:Where is that list stored?

[SanityInAnarchy]

Well, the trouble is, here in the US, banks are required to have two-factor authentication...

Except they fail it. Badly. Apparently, having an "authentication image" and a bunch of pointless security questions about your mother's maiden name, in addition to a password, is what passes for two-factor authentication, and no banks seem to want to do it right, with things like a physical key.

At least it's all SSL... well, sort of. My bank redirects me to some third-party site to actually do the SSL stuff. I've memorized the domain, so I should be reasonably safe, but... GodDAMN are we backwards here.

Re:Where is that list stored?

[blind+biker]

We get our password list by post. You could argue that that's also risky, but we trust our postal service in Finland.

The two banks I have money at, do it this way:

Bank #1: List of one-time passwords and 24 different "transaction" passwords delivered by post. You use your access code and one of the one-time passwords to access your account. Then if you want to make a payment, you need one of the 24 transaction passwords - you are told which one to use for each transaction (they have a letter of the alphabet associated with each one). This list lasts me about 2-3 months, but they obsolete it at a certain point even if I have one-time passwords left. When I get my new list, it also contains a new set of 24 transaction passwords.

Bank #2: Here I get a list of 1-time "do-anything" passwords. I use my access code and access password to login to my account, but I can't do anything useful, not even see my funds, nada. If I want to do anything, I need to apply one of the one-time passwords.

Re:Bullcrap. Don't need that stuff.

[smallfries]

Did you really go to all the trouble of misunderstanding him just to flog your point?

At no point did the GP claim that a hardware firewall and a NAT router were the same thing. He pointed out that he doesn't need a (software) firewall on his box when it's sitting behind NAT. You know exactly what he meant, and why in the context of crappy windows security he's correct - but you tried desparately to show that you knew more about the subject than he does.

Reread (exactly) what he said. Understand it. Shut the fuck up.

Re:current US economy (offtopic!)

[Lonewolf666]

I don't think the Federal Reserve and the politicians behind it care about GP or other homeowners in too much debt. They care about a possible mass bankruptcy among banks, which could really upset the economic landscape. There are similar tendencies in Europe BTW:
A few state-owned banks have are already received bailout money from the government.

But I agree about the problem with bailing out idiots. Fortunately at least some have to pay for their mistakes:
Bear Stearns (http://en.wikipedia.org/wiki/Bear_Stearns#Controversy) was sold off for a small fraction of its previous value to prevent a total collapse. In this case, the stockholders paid the price for not choosing a more competent management.

Off Topic Comment on the New Interface

[xoundmind]

Hey, if we put enough of these in here maybe someone will listen... Please change back to previous formatting. The new one makes me want to visit /. at all.

Re:Bullcrap. Don't need that stuff.

[st0rmshad0w]

First off, firewalls don't belong on systems, they belong on networks, so (after a re-read) I agree with that point.

But what he's saying is he doesn't need a firewall on his system because he's sitting behind NAT, and making the assumption that NAT is an effective firewall. NAT is NOT a true firewall! It is at best a passive protection that can be overcome.

If NAT were a truly effective firewall there wouldn't be a market for any of the other high-end gear out there.

Banks and Online Banking

[David_Hart]

Say what you will about Paypal and eBay, but Paypal has the option (at least in the US) to pay $5 for a Security Key. This provides two factor athentication, something that you have (the security key) and something that you know, your password. Something that has been arround for over 20 years. Most current trojans are out to grab your ID and password and store them for later use. You can't do that with a constantly changing security key number.

Banks, like any other business, just do not really care about security. What they do care about is liability. It's the same as insurance companies. Which costs less, added security or the losses involved in security that is "just good enough"? What we are now seeing is that this balance is changing as a result of an increase in computer trojans that are out to steal money.

Until the banks provide the consumer with better security options, in my opinion, the liability falls on their doorstep.

David

Re:Bullcrap. Don't need that stuff.

[st0rmshad0w]

You might also want to re-read what he was saying because:

"I have a NAT router (hardware firewall)."

sounds pretty much like he's stating they are the same thing, even if he's only trying to point out the lack of need for an on-system firewall.

Got em.

[mutube]

I'm with the Royal Bank of Scotland and we've been using them for over a year so far. Me and the missus have 2 accounts each (1 person, 1 joint) so they sent us 4 of the things: my overdraft charges at work. On the one hand it takes the whole convenience out of "online banking" when you have to carry a calculator around with you. On the other, it is obviously secure and vaguely "futuristic".

They've also implemented an online increased security thing that 'intercepts' banking transactions and requires you enter particular digits out of an additional password. Annoying, but more secure. Now you're entering a name, a card number, an expiry date, a 3 digit security code off the signature strip, and 3 digits from a password. Convenience. I'm waiting for v3 where they take a sperm sample.

Rather than these little boxes of tricks, I've wondered if they couldn't just provide you with a sum to remember ("number plus 5, times 3") and then supply you with a random number at login to calculate with . Might require a bit of mental arithmetic but lets face it, the plebs need the practise.

Re:Got em.

[aedan]

I'm with the RBS too but they have never asked me to use the wee calculator thing. Perhaps I don't have enough in the bank to make it worth while.

Re:Bullcrap. Don't need that stuff.

Your lack of Clue(TM) demonstrates the precise reason why people should have this protection.

A NAT router is not a firewall. Is it a high-end Cisco or OpenBSD machine, or some crappy consumer
Linksys (or similiar) "router", or PeeCee running Ubuntu Linux? In any case NAT routing is hardly
adequete protection against anything.

Can you be absolutely sure where your software is coming from? Are you immune from MITM attacks? DNS poisoning or
hijacking? Security breaches at the server, your ISP, or your network infrastructure? Software from friends sent
in good faith but which turns out to be bad? Clueless Friends or family breaking things or introducing unvetted
software?

The only way to completely secure a computer is to turn it off. If you decline to use a very simple and basic
security measure and rely on chance and your own capabilities, you're a fool, IMHO.

Now, presumably you have some technical inclination. What about all the people out there who are completely technically
inept?

-- Allah

You get the latter, anyway

I'm not sure anybody has a good test to determine "competence". I know many drivers who are fully licensed but I would not consider them competent drivers. Look how many DUIs get arrested every New Year's -- are these people competent drivers? (They scored at least an 80% on the multiple-choice test that said DUI was unsafe and illegal, so they must be!)

Having a driver's license does not excuse you from having to accept responsibility. If I run down a kid I cannot simply point to the D.O.L. and say "they said I could drive, so it's their fault!" and get away with it.

I also know people with no licenses who are perfectly safe drivers. I suspect these facts are related: if they screw up, they're in a lot of (legal) trouble, so they want to be extra-safe. A similar thing happened with mandatory insurance: once the state required that everybody have insurance, car wrecks *increased*. Lower risk means, in general, more recklessness. I'm not going to argue against safety devices, but would you see kids doing 90mph on wet roads if they didn't have car insurance and seatbelts and crumple zones and 16 airbags?

I don't think an "Internet License" would do anybody any good. People without one would still use the internet. People with one would still get in trouble. You would still be legally responsible. It would simply be another way for the government to clog up the system. When was the last time you said "this industry has operated so much more smoothly since the government got involved"?

It'll be the TSA for computers. Nobody wants that.

Um.

[mutube]

Do negative balances count as enough?! Maybe they wanted to make sure it wasn't fraud so when I couldn't pay up they could do me over without excuses.

P.S. I could send you one if you wanted, I've got spares.

Re:Um.

[aedan]

I've got one for the RBS and the memsahib has one for... errr... whatever bank she is in.

I like the way they don't ask for the whole password and number but I wish they gave you more than two gos before you get locked out.

perfect /. business plan...

[zotz]

for rogue bank employees?

1. write app to check if customer has av, asw,fw software installed.
2. if yes, conduct transaction; goto 1
3. if no, conduct transaction; clean out account; goto 1
4. Profit!!!!

So, a beneficial use of GOTO? And no ??? at point 3. but still...

all the best,

drew

Simple

[pjt33]

To cover all vectors. It's not unknown, to take an example, for brand new USB drives be infected.

You've Got To Be Kidding Me, part 38957357

[Duncan+Blackthorne]

Should end users be ultimately responsible for the state of their systems? Hahaha, you very funny. The average end user isn't competent enough to ensure the security of their computer system. Hell, they can't even seem to learn to stop clicking on "free stuff" links that install malware/adware/trojans. Assigning blame for the state of things isn't productive.

"The Banking Code produced by the British Bankers' Association (BBA), and followed by most banks.. so much for the credibility of any "decisions" they hand down. Of course they're going to protect their own interests (so to speak) and try to slough off the blame onto their customers, they're banks!

Solution

[Lost+Engineer]

Can't believe no one has said this yet. Make a system where you can't steal someone's money via purely online transactions (credit cards aside, fraud protections still remain for those).

You can still transfer money via some system that's actually authenticated like ACH or to your own accounts with the same bank. There's really nothing you need to be able to do with just a user name and password that can be exploited by a thief.

Anecdote:
Bank of America allowed someone to log onto my account and sign me up for "bill" pay, then write himself a check for the contents of the account, all in one session. I told them first of all to never ever let anyone use bill pay on my account again and then I took nearly all of my money out of the bank ASAP.

Oh BTW bill pay is just a fancy way of letting anyone with your password write a check to anyone on the planet and have BofA mail it for him. It is enabled by a click through online.

B of A has a new thing however called SafePass that will require you to enter a temporary code received via text message before you can do things like transfer money or bill pay. I highly recommend you enable this if you bank there.

One word: Xbox

[tepples]

Before we jump up on both feet and applaud we should bear in mind how MS would likely deal with this responsibility if it fell on them. For starters, they would implement a trusted computing model that would make DRM and WGA look like FOSS by comparison (probably something along the lines of being a node on a corporate network). They'd likely also shut down support for any software other than their most current offerings.

"3rd party software?" you ask. Aren't you cute! Well yes it would probably exist but it would all have to be Microsoft Certified Or to put it shorter: Xbox.

Children who use the same PC as you

[tepples]

Why should I have antispyware? I know what I'm downloading. Hypothetical: Your little cousin, who visits your house twice every two weeks and uses your computer, isn't as smart as you are. He likes to play random games and game-modding tools downloaded from the Internet. You don't have the disposable income to buy a separate computer for him to use. Now should you have software to detect spyware?

Why should I have antivirus? For the same reason.

When I DO need to use a crack I upload it to virustotal and then run it in a virtual machine. Imagine not having enough RAM to run your existing OS and another OS in a virtual machine. Good luck finding a spot on your PC's motherboard that isn't already filled with the largest RAM stick that it can hold. (My PC maxes out at two 256 MiB sticks.)

Dear god, SOMEONE explain to me why any reasonable user should need this resource-hogging crap? That's why I run ClamWin. It's a manual scanner, not a real-time scanner. I have it set to run a full system scan once a week, and Firefox 3 tells it to scan each file that I download through Firefox. But other than that, ClamTray doesn't use nearly as much RAM and CPU as the McAfee installed on my (newer) work PC.

Re:Bullcrap. Don't need that stuff.

[smallfries]

I've heard this claim before that NAT can be overcome (can't remember where) and it is an interesting point. In the typical installation - private class C behind the NAT. Port forwarding switched off. How exactly would you go about overcoming the firewall?

I can see that a carefully crafted packed could fool the system into relaying it - although if the router has been designed properly the PPP to the outside world and the hub behind should be physically separate networks. But how would you fool it into masquerading the connection to get the other half of the socket connected?

I ask out of genuine curiosity as it is a claim that I've come across but not worked out how it could be done.

Re:Bullcrap. Don't need that stuff.

[fwarren]

I don't make it a habit to go to Russian warez sites

Since it is not a habit, once every few months must be ok?

You know. Just to see what kind of cool music they are putting on the kegens these days.

Good security model

[Hashi+Lebwohl]

My bank - which shall remain unnamed - in Australia has what I think is a very secure way of handling account transfers. For each transfer to another account, they send me via SMS a unique, one use only verification code that can only be used for that transaction. Seems pretty foolproof to me.

How true.

[Jane+Q.+Public]

Yes, in fact I would suggest that very thing. But I agree, the buck has been passed until it has reached Neverland, or maybe Oz.

And yes, "follow the money" does really work. However, if you are a reasonable person I challenge you to try diligently for a few days to follow your tax money, even just with your local municipality and state, and try not to keel over from apoplexy!

When I have done that (and I have, a little), I have found myself alternating between sheer astonishment and abject fury. If I were a MORE reasonable person than society allows these days, I would track down a bunch of these "representatives" of mine, and punch them in the nose. But current law does not seem to allow reasonable behavior. Sigh.

God bless corporatism and their many minions!

[OldHawk777]

Religions have always supported the state ancient Egypt, WWII Vatican, ....

Evolution is natural now the states support the holy dogma of corporatism.

No corporation can be held accountable for the normal human behavior to accept exploitation. I use to pity the Mexicans and Chinese for being a cheap public commodity, but EU, US, UK, RU ... citizens are all proving to be far less than the public body of a democracy.

The institutions that could end ID theft have always been the same that act as proxy for the ID thieves. In the USA it became obvious with the personal information OptOut FuckUS. The banks in the UK say FuckEU too with a rusty rancid corkscrew.

Democracy, Capitalism, Public, Citizen are delusional concepts, we think the corporatist/plutocrat is delusional, but reality indicates the substance hitlers, napoleons, Caesars ....

Re:Scare tactics - technical correction

[ancientt]

Not to say the other method isn't better, but it isn't quite that bad. I used to work in the debit processor industry, essentially our computers were the ones that the PIN was sent along to.

It actually works like this: PIN entry -> Unique encryption in keypad (light sensitive PRAM typically) -> Debit machine processing -> VPN or dial-up direct to processor -> decryption based on id of machine and uniquely assigned encryption keys -> somehow (varying) communicated to bank ->back up the line with approval/denial.

It is supposed to be using hardware that never stores the encryption keys (triple DES mandated) anywhere that is accessible from the machinery that processes the transaction and they're tamper resistant (not quite proof, but difficult) with the encryption key knowledge being split between (at least) two people. The keys are unknown to the people who handle them until the time of entry and only stored in the end machine and in the processing machine (identified by serial number or machine ID.)

It is possible for the systems to be compromised in several ways, but paranoid safeguards are in place to make it difficult. Getting card numbers is no terrific feat, as evidenced by all the news stories about exactly that, but mechanically getting PINs usable for debit transactions is tremendously more difficult. That isn't to say it can't be done, but it does raise the barrier much higher than just sending your PIN along.

On the other side though, the decision on whether to approve or deny a transaction is typically just a matter of an unencrypted 0 or 1 along with the mirror of the transaction. If a transaction is denied, but the machine gets a 1 where it should have received a 0, then the merchant has no immediate indication that the cash or goods weren't paid for. Machines using debug or emulation modes occasionally get into service and approve everyone without even validating the transaction, but as you can imagine that gets pretty prompt attention.

With some banks...

[rnturn]

... they seem to think that users are nothing more than fee-paying machines. So what's one more fee (or two): You wish to bank electronically with us, we insist that you use this browser that only runs on an operating system with more security problems than you count. And if you don't buy some additional software to attempt to secure the operating system, you cannot do business with us. Well, not securely, anyway.

So, let's add it up: Need costly operating system because we only support the browser that comes with that. OK, that'll be in the neighborhood of US$200 for the basic version (which is handcuffed and you won't be happy with, by the way). Need additional software to mostly plug the security holes in the expensive operating system. That'll run you something like US$99/year. So the first year will set you back around US$300. All so you can access your money that we're keeping for you and earning interest at a rate that doesn't even keep pace with inflation. What a deal! Makes writing a few checks and dropping them in the mail at the end of the month look pretty inviting.

But the logic is consistent

[SuperKendall]

If a bank only lets you connect via one OS/browser combo, you are effectively co-opted into the software ecosystem as designed by the bank

You are only told specifically what the entry point of the system is...

The note about the user being responsible for client side security makes even *more* sense when you consider the entry point they specify. There's simply no way the banks can have any control over your client environment, and do anything about a locally installed password sniffer on your end. So the direction that the user is responsible for malware capturing data and passwords is locally just making clear to non-technical users just where the bank ends and your computer begins.

I agree it's insane that banks are not generally more supportive of more secure systems and browsers (and indeed if they had any sense be active in pushing more secure user systems!). That just means that technical folk need to seek out and use financial services that are supportive, and help others to do the same.

Who else?

[LinuxLuver]

In so far as the relationship is between the bank and the customer and the bank has NO control over the state of the customer's computer, the liability for client-side security faults can ONLY lie with the customer. Having said that, the customer also has a relationship to the vendors who leave them exposed to any risk. An operating system that cannot safely be connected to the Internet without 3rd-party software being added should only be sold with that, and any other caveats, clearly stated or risk being sued for improperly representing their product as "fit for purpose" (Internet use) when it clearly isn't.

Auditing and Forensics

[kylehase]

I smell a huge opportunity for third party consumer security auditing and forensics. Many consumers will want some assurance that their PCs meet the bank's security standards. Forensics will be important for breeched accounts that are not audited.

Hmmmmm.....

[IHC+Navistar]

There is something like that here in the U.S......

When I got my first credit card, I wrote "Check Photo I.D." in the signature box so that the cashier did the 'signature check that they were supposed to do, they would be reminded to check the photo I.D.. This ensured that all blame would fall on the merchant for not sufficiently verifying the identification of the person trying to pass the card. If a merchant simply accepts the card, and the info it contains, and fails to verify that it is valid, then the problem of fraudulent charges becomes the problem of the merchant/retailer.

If someone reports a fraudulent charge, they can always ask the merchant if a valid I.D. was checked and verified. Obviously, the answer is 'no' (if they saw 'yes' then the are lying, and that is a whole new problem for the merchant), and the merchant has to take responsibility for the charge.

There is always the possibility that the customer is lying, but, there are other ways to tell if the merchant is lying, or telling the truth (such as signatures and CCTV).

Not law....

[freedom_india]

Let's get the facts straight.
Its NOT law if an association makes it.
Its law Only and Only if the parliment makes it, and the Queen approves the same after the Lords approves it.
BBA can call it whatever they want, but it will never stick in a court of law.
How come the user is held responsible for a lousy OS?
The banker is a trustee of my money. I have "loaned" it money that i may demand anytime.
And as a creditor i can demand the bank provide me details of my money in a way i deem fit.
If the bank cannot provide me access to my details, then i assume the bank cannot repay my debt and i can request the courts to wind it up quickly.

Chain of blame.

[miffo.swe]

This isnt as bad as it looks. The bank puts the blame on the user for having an unsecured os. That person in turn should put the blame on his operating systems supplier.

The problem here is that software today is sold without any warrant at all, not even functionality. In the eye of the law you've just bought a book/movie. This should be changed so software is threated as any other goods. Only then will quality and security of software start to rise.

security of banking institutions a joke

i'm posting anonymously because what i have is pretty bad information for my banking institute. a few months ago, i was helping my mother move some heavy stuff into storage at the bank where she's a loan officer, and i noticed that the wiring closet was not locked (it is in the large general-use storage closet). not only that, but this closet is right next to the restrooms, which aren't clearly visible from any of the offices or the main lobby. the internet backbone for this place is wide open to anyone that feels like wandering into it.

i told my mom about my concerns, and she brought it up to the bank manager. apparently, nothing is being done... well, maybe they lock the door (not even a dead-bolt)

Re:Bullcrap. Don't need that stuff.

Ok, you might not need a firewall. Remember your wireless network is the same side of your NAT router as you are.

Do you REALLY know what you're downloading? Do you know what's happening for EVERY web page, and EVERY email you get? Do you look at the HTML code, the asp, the jsp?

Do all your friends behave the same as you? All your colleagues? Your family? Are you certain they don't send you emails, give you cds, usb sticks, that may contain a little virus?

Russian Warez sites aren't the only place you can pick up this crap you know.

What makes me despair is that in your case, a little knowledge is a dangerous thing. You think you're safe when you're not. You need to get real, and get real quick.

Re:Bullcrap. Don't need that stuff.

[coolsnowmen]

I understand how that can happen, but I don't see how both anti-spyware/norton antivirus would be better than the latest security updates to firefox in that situation.

If someone has found cutting edge exploits, you don't think they could write a program that antivirus wouldn't detect?

Really, Internet browsers will need to be completely sandboxed before that level of security is reached. Do you run your browser in vmware player?

Is it really more secure?

[Erikderzweite]

I use online-banking system by Sparkasse (germany). I do think it is pretty secure even without chip-and-pin. No javascript or ActiveX, SSL, automatic logout after a given period of inactivity, ability to change your username along with password (not just account number and pin if you wish)...
But the most effective security measure is a simple list with 100 pins I got from them. On every transaction I am told to enter, say, pin 45. I look for pin 45 in the list and enter e.g. 681343. So I feel a bit like submarine captain checking nuclear codes before the launch. If I use 80 pins, they'll send me new list.
A keylogger on my PC can capture my username/password (btw, trojans are yet to appear in gentoo portage), but without the pin-list they are useless. Loss of pin-list means nothing too - the one who finds it will have to know my username/password. I may be prone to man-in-the-middle attack, but so is the chip-and-pin system. I do check URL of my banking site, don't transfer the money from unknown networks (no false DNS'). Now, why exactly is chip-and-pin more secure?

Banking - you're doing it wrong

[SgtChaireBourne]

If a bank only lets you connect via one OS/browser combo, you are effectively co-opted into the software ecosystem as designed by the bank- it's all their system. Very few banks in the UK have IE-only websites, so that's not a particularly big deal.

What is an issue is the wording - nothing in The Register's article suggests that they've included the magic phrase "where necessary". You could be using an SELinux box tightened beyond belief with no need for anti-spyware or antivirus, but if you get ripped off through a website, their first question is going to be "What antivirus are you running?" and if the answer isn't a well known commercial product, then it's your problem and not theirs.

People are leaving MSIE, if not also MS Windows, in droves. So flexing their M$ agenda by requiring MSIE would backfire quite nastily at this point.

Well, also seeing as the banks have been replacing secure ATMs with insecure ATMs due to putting the M$ ideological ahead of technological factors, it's only natural that they begin to follow the M$ practice of blaming the customer.

Further, some major banks took that ideology two steps further and started destroying crucial components of their infrastructure by replacing it with M$. It's so bad that Microsoft's XSS hole causes state consumer agencies to tell people to file for damages from Sampo Bank, Danske Bank and the others. Too bad so many advertising budgets are dependent on M$ otherwise we'd hear about it in the mainstream media.

Again, the M$ tactic of blame the user helps the banks. At the least it creates a smoke screen that allows the public to get all indignant about such preposterous attitudes thus drawing the focus of the banks' home made catastrophy or willful negligence.

Re:Banking - you're doing it wrong

[torkus]

People are leaving MSIE, if not also MS Windows, in droves. So flexing their M$ agenda by requiring MSIE would backfire quite nastily at this point.

Reference? A few % variance does not constitute 'droves'. I'm not a MS fanboy, but if you're going to try to make a point at least the opinion-distorted facts out of it. I've heard how Linux is going to take over the desktop market 'any day now' for about 10 years now. I've heard claims like yours that 'everyone' is dumping MS for at least half that time as well.

Anyone have the latest desktop stats from a legitimate source?

Different system in the Netherlands

[slashbart]

Let me see, we have at least three systems in the Netherlands, where this is not an issue:

1) the TAN list. This is a paper list of TransAction Numbers. If you want to transfer money, you need to type the next TAN number on the list.
2) the TAN number is transferred to you from the banks server via SMS. That's right: you okay the transfer, and then you have to type the TAN that you get on your gsm phone into the browser.
3) A physical little calculator thingie that you type a number into (from the browser). It gives back another number that you type (to login, and/or to okay a transfer).

All of these systems are not vulnerable to most forms of hacking (except for man in the middle, and man in the browser). Just stealing someones login name and password doesn't do you any good.

Re:Bullcrap. Don't need that stuff.

[Tastecicles]

-- Why should I have a firewall? I have a NAT router (hardware firewall).

Hardwalls stop crap coming in. Outbound traffic is allowed because this is how consumer NAT routers work. Softwalls don't stop incoming traffic, but they do (theoretically) stop outbound. So, you need both for protection from actual hack attempts (incoming) and keyloggers etc (outgoing). Hell, I run a softwall on my Linux gear - because it's the smart thing to do.

-- Why should I have antispyware? I know what I'm downloading.

Do you?

-- Why should I have antivirus?

If you're using Microsoft xp, you absolutely require it. You don't even have to open a browser to get owned these days - there are exploits out there that merely require a live internet connection to your machine to infect it. What's the average run of an unprotected xp box? About ninety SECONDS. (I've actually witnessed this, and on more than one occasion).

For more anecdotal evidence: I sold a machine last year to this guy. It had AV/AS fully loaded and functioning. He came back with it two hours after he took it away, and informed me that he'd turned the AV/AS off because the machine was too slow for him, at which point it had slowed to a crawl. I ran a PXE virus scan on the system; in the two hours he'd had it, less the time to transport it, hook it up/unhook it, kill the AV/AS, his box had been completely owned. Nearly three thousand signatures. I have the screenie. His internet history showed precisely four pages. All Yahoo Search. I make it a matter of policy, apart from testing on a sandboxed router, not to connect a presale box to the network - any network - so any network activity other than a port 50,000 ping to an odd subnet isn't mine. All updates and software installations are run from a DVD. Covering my own arse.

-- - I don't download cracks. When I DO need to use a crack I upload it to virustotal and then run it in a virtual machine.

On your head be it. I don't use cracks. Period. I've seen too many boxes owned because their owners couldn't be arsed to fork over £800 for the latest-greatest Enterprise-level graphics suite. If I need something like that I look for a FOSS alternative. Photoshop? Fuck off, bring out The GIMP.

-- - I run IE7 and Firefox. Although neither are perfectly secure I don't make it a habit to go to Russian warez sites.

That's as maybe, but malformed URLs, embedded exploits, rogue java code etc isn't the sole domain of random russian sites. And IE7? I'm not convinced about that behemoth. AFAIK it only sandboxes itself on Vista. And just what, exactly, does that entail? Opening another process? That's Microsoft sandboxing? Where's the entire virtual machine?

To me, sandboxing is firing up QEMU and running a custom Knoppix build with a window manager, framebuffer, http stack, network driver, Iceweasel browser, hosts file and nothing else. Loads as quick as Firefox, and is safe because it runs entirely in RAM, doesn't touch the HDD, and when you kill the process every local trace of your browsing is gone forever.

I'll leave you in your illusory cotton-filled bubble.

The user is the weakest link.

[MikeFM]

The problem is that no matter how secure your network is if you allow people that are less secure than you to connect to your network then you're security is as weak as their security. The weakest link is always the place of failure. If some dumbass running Windows with 40 different key loggers infecting their system connects to your secure website and enters their username and password then there is nothing you can really do to repair that damage. At that point the account is owned by whomever is collecting that information. Obviously the bank can't be held accountable for that account if the customer is going to make no effort to protect themselves.

No security module is going to protect user's accounts so long as the user still uses an insecure OS that hasn't even been properly updated since it was installed and which is usually infected by loads of crappy viral ware.

Re:The user is the weakest link.

[plover]

Again, the security module is a handheld device resembling a small pocket calculator, and is NOT attached to the PC. The user enters their secret PIN only into the trusted handheld, never into the PC itself, and never into the merchant's PIN pad.

When you go to make a transaction, you enter your secret PIN into the handheld, and it displays a PIN for you to use for this one transaction. The PIN is valid for only one transaction. Key loggers can record the PIN as it is being legitimately used, but it is now spent and is no longer valid for a second transaction.

The handheld isn't ever connected to the internet, and doesn't get software upgrades. Unless they break into your house and physically mess with your personal module, the bad guys cannot tamper with it, and they cannot install key loggers on it. Even if they did, since the device is never connected to another system, there would be no way to have the device dump its logs without a second break-in to retrieve it.

Abbey National!

[Xest]

Their site was IE6 only after IE7 had been forced out by automatic updates, I found that somewhat amusing. If you'd installed IE7 or used Firefox then tough you couldn't access you money via the net. It wouldn't be so bad if it wasn't for the fact Firefox had been out years and was far more secure than IE6, the fact they not only weren't prepared for IE7's release but still didn't support it months and months after release when it's much more secure than IE6 and had been forced out via Microsoft update tells me it's certainly not my IT policy I need to be worrying about. I'm not suggesting it's any better upgrading to the latest and greatest version of a browser automatically and assuming it be more secure, but certainly supporting IE6 only over IE7 and very mature, secure versions of Firefox is laughable.

I'm not sure it's fixed even now to be honest the only difference is you can tell it to log in anyway if you're using something other than IE6 whereas before it refused if it didn't like your user agent string.

Re:Abbey National!

[jimicus]

I don't know if there's some other system I don't know about, but I've been an Abbey customer for about 4 years now, using the Internet banking site more or less since I opened the account.

In that time, it has always complained if it didn't like your browser. But it has always allowed you to click-through and login anyway. And I don't think I have ever seen an issue with it which could reasonably be blamed on browser incompatability.

Re:Bullcrap. Don't need that stuff.

[Inda]

You don't download cracks? I do. I have done so for over 10 years. Have a guess at how many viruses I've picked up this way?

Yeah, I hate guessing games too...

Zero is the answer. The warez scene is not a problem.

Guess how many nasty-o-programs I've caught from emails, magazine cover disks, legit programs from branded sites,..?

More than I care to mention.

Lets ask this question then?...

[jskline]

If Barklay sets up this stuff and adheres to it, and I as a possible customer have an account there by which I physically pay my bills by cheque, but never by using any of the online services, and in fact never even initialize any of the access online, and someone accesses my account and rips me for all my funds, am I still responsible??

I think that deserves a look don't you? Language after all; is still legal and how you phrase your "terms of service" is how you either are forced to replenish the customers funds, or you get off Scott-Free and not face any repercussions.

Just a thought...

Re:Bullcrap. Don't need that stuff.

[Jason+Levine]

Security is best in layers. So you don't download cracks or warez. Great. You've eliminated a big source of virus infestation. I'll go out on a limb and assume that you don't open e-mail attachments or download screensavers from websites either. But perhaps you just bought a brand new hard drive and connected it to your system. Congrats. You now have a trojan on your system. Since you're not running an antivirus application, you won't know that your system is infected. If you were running a firewall, it might pick up a rogue process trying to connect to the Internet and alert you to this. If you ran a program like Startup Monitor, it might alert you that the trojan was trying to get itself to run at Windows startup.

If you ran an anti-spyware application, you might find out that that application that you know and trust recently added some spyware into the install. Perhaps the spyware addition wasn't even listed as an option for disabling. However, again, a firewall or Startup Monitor would alert you to the presence of this infection based on its behavior (trying to access the Internet and setting itself to run on startup). An anti-spyware application would find and clean the spyware off your system.

Even the most careful user will slip up (or be blindsided) once or twice. The security layers will prevent your system from being infected (or will minimize the damage) when those slipups occur.

As a side note, I'm always amused when people say "I've never run an anti-virus scan and I have never had a virus infection, EVER!" If you don't run antivirus, how do you know that you're not infected. (This last point isn't directed at you specifically, but at a general attitude I've seen over the years.)

Most web banking software is insecure.

[zerofoo]

I used to be a network admin for a small community bank. The ugly secret of online banking is that most online banking apps are HORRIBLY designed.

The particular product we used was broken into many times (via SQL injection attacks). The vendor's fix was to add code to detect and block recognized SQL injection patterns instead of redesigning the application so it was not vulnerable. This "anti-virus" approach wasn't very effective.

When we spoke with other banks using other products, the consensus was similar - online banking software sucks.

Our solution was to require an RSA token on any account that had the ability to move money out of the bank (i.e. commercial accounts that had the ability to originate an Automated Clearing House transactions). We also made the RSA token optional for non-ACH customers.

Blaming customers for phishing, and insecure configurations is deplorable behavior by a bank. Who do you blame when your customer is on vacation and they use a compromised hotel computer to access their account?

Banks can effectively secure their online banking products, but it takes a little work, and money to do it effectively. Requiring RSA tokens is giant step to fixing the problem.

Keylogging can be defeated

[zerofoo]

By following FFIEC rules and implementing a TRUE 2-factor authentication system like RSA tokens.

Any credentials stored by a keylogger are useless due to the token expiration.

RSA tokens are not perfect, they are still vulnerable to a man-in-the-middle attack, but those attacks are rare, and can be mitigated through the use of certificates.

-ted

US legal precedents from the 1930's may affect...

(posting as anonymous coward - registered as WannaBeaLawyer)
If this were a court case in the US one might need to go back to the 1930's to find a legal precedent to influence the outcome. Do a quick search for the TJ Hooper case. Here's a summary: Guy with a tugboat rents barges from one party and contractually agrees to haul coal for another in said rented barges. Plan is to take the coal from a port in the Virginia area, up the eastern seaboard, to NYC. Halfway there a storm sinks the barges, losing both the barges and the coal. One would *think* that it's a clear case of "natural disaster" or "act of God" so the tugboat guy isn't liable, right?

Not so fast... Turns out that there was an as-yet unproven, sporadically-functional NEW technology called "radio" available. Further, this new-fangled radio thingie allowed one to hear weather forecasts in advance of such an event, providing capability to move to a safe harbor when necessary to ride out a storm. Further yet, lots of other people were already using this technology, even though it a) wasn't 100% reliable and b) wasn't required by any law or other document to be used in either a marine or terrestrial application. Some of those other people were taking the SAME route as this guy, WERE able to avoid the storm, and DIDN'T lose their cargo or barges. (There's a bit more to the story but I'm trying to get to the point.)

The court found against the defendant (i.e. the tugboat owner lost the case and was liable for the entire loss) both during the original case and then again on appeal. One of the arguments used was the "reasonable man" argument which simply states that any "reasonable man" would protect his assets in whatever way was available, whether required by law or not.

So the question may not be "Who put the data on the network in the first place?" or "Shouldn't the bank be responsible for the security of the data on their network?" or any one of the myriad of other questions posted by the intelligent slashdot community.

Instead, one might start to ask questions about how the outcome of the TJ Hooper case might influence an actual court case. Questions such as: "Since antivirus software, firewalls, IDS/IPS, and other similar technologies are a) readily available, b) proven technology, and c) relatively inexpensive, why wasn't the bank CUSTOMER acting as any *reasonable man* would act? Especially if the banking website recommends the use of these technologies?"

Still the banks responsibility...

[foniksonik]

If they can't make a reasonably secure interface to their banking system, they shouldn't offer it.

If the banks offered a Money-Pit interface where they just dropped your money into a pit somewhere and sent you the GPS location and did not supply a security guard to watch over the money until you arrived to pick it up... would it then be your fault if the money was stolen?

The banks certainly would not offer such a service as they know it would not be your fault. Otherwise there would also not be any security guards at the bank branch offices themselves...

Protecting the money you entrust to them is the sole reason for their existence. How can they state that protecting it is not their problem?

If they can't offer a secure internet banking service to their customers then they should not be offering a service at all.

If a secure service means that it is inconvenient for their customers to use then THAT is the customers' problem... but the security of the transaction and interface to the data... THAT is the banks' problem.

Re:current US economy (offtopic!)

[torkus]

Haha...shareholders (the smart ones) and senior mgmt at BearSterns already made their money. Look up the bonuses their executive staff got paid LAST year and tell me again what 'price they paid'.

Oh, woe is me. I didn't get my $100MM bonus (or whatever) this year like i have for the last 5. /wrists

Seriously...this isn't meant as flamebait - but more to make the point that most of the people involved in the colapse of Bear Stearns are NOT suffering greatly from their decisions. They're still going to live a lifestyle greater than the vast majority of people. This is a PROBLEM.

Re:Bullcrap. Don't need that stuff.

[coolsnowmen]

So I don't know. But no one has replied yet so this is my guess:

The easiest case is that someone other than you (because of course you know what you are doing) gets compromised by email virus/fake porn dialer/free game and then you are finished because if you can execute code on the inside of the NAT then game over. Also if the mirror you download your firefox update from is hacked, then you just ran a hacked binary.

Other common exploits like java script would also negate the nat. For common people, these script might first try and hack the nat from the inside using the default passwords. If it is compromised then again, Game over.

Once I understood how arp poisening, udp hole punching, and nat static and dynamic portforwarding work, I think that the Router itself cannot be hacked unless it has an inherent security flaw. But most people use linksys/belkin, and there are definitely people who don't update the firmware that is a small but real possibility.

The other method assumes that you have actual computer users behind your NAT that make connections to the outside world. Any connection going out can be abused to send packets in. So if you are like me and have a static port forward to get your apache to work even though its on port 800, then apache can clearly be hacked. But any outgoing connection can be abused, so you basically have to trust that EVERY program connecting to the internet will behave perfectly.

There are really too many ways to accidentally run compromised code in user space to assume that your entire network behind a NAT is protected any more than a public ip from scanning.

If I'm completely off base, whoops.

Re:YES! YES, for crying out loud, you ARE responsi

[Opportunist]

What I want is people taking responsibility for the tools they use and their actions. All I want is that people take sensible and expectable precautions. Could you tell me why I should (indirectly) pay for their loss? I don't expect anyone to become an IT security expert. Not only because that would kinda put me out of business. But it cannot be expected from anyone, I agree with that. Nobody is expected to get his degree in CS just to browse some pages and do his online banking. But I do expect people to take sensible precautions against ID theft when they do financial transactions with their computer.

I'd already be happy when people installed some AV tools if they don't want to handle it themselves. If you don't think you can handle your computer's security yourself, hand it over to someone else. If you still become the victim of ID theft, ok. You have taken steps that can be expected from you to avoid damage.

What bothers me is people who act negligant and then whine for compensation for their stupidity.

Re:Give the banks a break here

[GargamelSpaceman]

If your system is infected with malware, then everything you do or type is available to that malicious software. The malicious software definately can log into your account using the password you just typed and take your money. Even with some funky card/chip/biometric thingamabob, the malicious software, because it controls your computer, is already in a position to bypass any security measure you could hope to put in place. Banks can't offer online banking unless customers are responsible for their own security. Which really means banks can't offer online banking. Someday a botnet of hundreds of thousands of machines will all suddenly empty the bank accounts of all those they infect into random or not so random places, losing people billions or trillions of dollars, and putting the kebosh once and for all on online banking.

Banks might safely offer an unmesswithable *device* that could connect to the internet securely. Like a handheld atm, it would be under complete control of the bank. Sure you could probably devise some read only interface to download your crap to your computer. But ideally, your bank should offer most of the software you need to do everything you want right there on the closed and sealed and secure device.

You're overgeneralizing

[Giant+Electronic+Bra]

It is all nice and all to make an analogy, but that doesn't mean all analogies are GOOD analogies. In fact in light of where this thread started, that one makes no sense at all to me.

Re:Bullcrap. Don't need that stuff.

Zero day stuff, iFrame exploit attacks, hacked SSL servers (check phishtank.com ). If you are using Windows, you HAVE TO run antivirus in case you got valuable data or do anything with money/RL with it.

My Virtual PC 7 under OS X (PowerPC G5x4 here) got AVG antivirus installed and a secondary program test (Kaspersky) found a spyware DLL inside my %WINDIR% , I have only downloaded security updates, got only some GSM phone sync/backup etc. utility from companies themselves and that damn thing managed to get into windows.

Oh forgot to say, I found a very cheap XP home edition and bought it original form, from MS. It is not a cracked OS either.

Using IE 7 or Firefox doesn't make you secure, really.

Re:YES! YES, for crying out loud, you ARE responsi

[rant64]

As we speak, the Daily WTF hits my feedreader.
http://thedailywtf.com/Articles/Halifax-Bank-Security.aspx

Antivirus and tools are no match for this kind of idiocy, if it's true.. They just don't expect the bold nerve and fall prey to social engineering and scams sooner or later. This is a bank teller, for chrissake.

If anybody's trusting enough not to verify the authenticity of any kind of claim that hits them financially, then online business is not even their worst problem. Yes, people who forsake their identity this easily should eat the consequences. But I'm saying, in the context of TFA, that online banking, with the right tools, is more secure than withdrawing cash in person. Providing the security measures is the responsibility of the bank, demanding those measures is the customer's.

It'll never happen, will it? :(

Re:YES! YES, for crying out loud, you ARE responsi

[Opportunist]

The problem is that the bank should be responsible for the technical integrity and security of a device not under their control, their customer's computer. That's how the technical ID thefts work. A trojan on the customer's computer manipulates the transaction on the fly, in a way that the bank can under no circumstances see a difference. I have seen it first hand and I am out of any ideas how the bank should identify such a manipulation. There is no way the bank can discriminate between data you entered and data sent through the browser by a trojan.

As a matter of fact, I have pretty good insight into the security mechanisms working in a bank. What the teller in the link you sent did should be enough to fire him or her on the spot. But the security in technical transfers is as good as it can be, on the side of the bank. I know of no single incident where online ID theft was caused by neglegance on the bank's side. It's usually down to people being tricked into surrendering their ID to a third party by social engineering ("log in here and hand over a few details so we can reset your online banking") or the machine of online banking users being hijacked by trojans.

In either case, the bank is not liable for this. In either case, the online banking user made a mistake. In the first case, I have not the slightest sympathy for them. A fool and his money are easily parted, and entering your security information into some random page is foolish behaviour. In the second case, I would at the very least require the user to proof that he did take reasonable steps to protect himself from trojans.

Bullshit

This only forces them to run a synchronized attack. That is, they catch the password, and redirect your connection to their server. Then they connect to the bank, and use the password. Next time you start a transaction and give the next password, they keep redirecting you to the server. Then they change the transaction, and send it over to the bank, together with the new password.

They could also do this locally, and simply modify the transaction before you're sending it, while keeping your PC displaying the expected unmodified transaction.

Re:Bullcrap. Don't need that stuff.

[st0rmshad0w]

This is a a pretty good synopsis of basic NAT vulnerabilities:

Busting the NAT Myth
By Sig Fidyke, Senior Product Manager, and Scott Pinzon, LiveSecurity
Lead Editor, WatchGuard Technologies, Inc.

Have you ever settled down to dinner, only to be interrupted by
unsolicited telemarketing phone calls? It makes you glad that at work,
your business has a main number other than your desk phone. If necessary,
you can tell the company receptionist, "Unless my boss or my spouse
calls, don't forward any calls to me." Then if telemarketers call the
main number, looking for you, the receptionist terminates their call
without bothering you. In fact, if you wanted, you could keep your desk
phone number completely private so that no one knew it except fellow
employees and close family members.

However, if you achieved that ideal, would you then say, "My private
phone number makes me safe in all regards. Now we can fire the company's
security guards and leave the doors unlocked"? Foolish, right? Yet for
some reason, many people follow that very logic when concluding that a
NAT device is a firewall. This article debunks the myth that a NAT device
is "good enough" security, and explains why you're better off using a
real firewall to protect your network.

NAT Attacks
Network Address Translation, or NAT, works roughly like the receptionist
in our opening illustration. It hides your private, or unregistered,
network addresses from the public. When packets leave your network,
heading for the wild Internet, a NAT device replaces all private IP
source addresses with one public address (usually its own). Since the NAT
box advertises its own address to the world as the source address, all
replies from the wild Internet return to the NAT device, analogous to the
way phone calls to everyone at your company might first come to a main
phone number. And just as the receptionist answering the main number can
redirect incoming phone calls to the desired individual, NAT checks an
internal table to redirect replies to the appropriate computer inside the
network. If an attacker initiates a connection to your network through
some oddball port, like 31337, the NAT box would check its table and
think, "Gee, no one inside this network requested information on port
31337. Now I don't know who to send this packet to." Typically, it then
drops the packet. So, in this sense, NAT-only devices do provide a
modicum of security. (The rest of this article assumes you understand
basic NAT, so if the concept is new to you, before continuing you might
want to read "Using Network Address Translation" and "How and When to Use
1:1 NAT.")

Since NAT is designed to do the best it can to allow traffic in, any
security benefits it provides are mere side-effects. Hackers have
developed attacks specifically for NAT devices, such as the following.

Exploiting open ports. For port-based NAT, once a NAT device opens a port
by putting it in the NAT table, all traffic destined to that port is
allowed through to the local computer identified in the table. NAT
substitutes unusual ports for well-known ports, but usually derives its
substitute port numbers from a standard range. Hackers can persistently
keep guessing at which ports NAT has opened until they get through. Since
they use automated programs to do this, the hacker doesn't have to be
overly persistent or lucky -- he just tries a lot of addresses until
something breaks.

Taking the DMZ server. Some NAT devices can be configured so that packets
not matching anything in the NAT table are sent to a specified computer,
rather than discarded. This gives the administrator a chance to ensure
that good traffic is not lost, and to allow a program to work that won't
work through NAT. But it's horrible from a security perspective. It means
the NAT device sends everything through. Once a hacker gets control of
the one computer where everything

Re:Bullcrap. Don't need that stuff.

[smallfries]

Thanks for the reply, that was very informative. The section about what is wrong with NAT that firewalls fix is a bit loose - the points about open ports and machines in the DMZ apply to firewalls equally as much as NATs. The remote admin and pings are red herrings - most NATs that I've seen in the past few years switch these off by default now.

The points about where firewalls are more secure products were really interesting. I hadn't thought of the sequence number bouncing, and yet it's a basic part of many crypto protocols to stop replay attacks. The outbound filtering matches up well with the other reply about compromised machines.

Good points, cheers for the info.